protobuf.js: Prototype injection in generated message constructors

Summary protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that...

PSF-2026-14

The webbrowser.open API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open...

GHSA-G3HP-VVQF-8VW6 Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page

Summary A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions. !NOTE This is a separate...

GHSA-WJ89-2385-GPX3 Craft Commerce has stored XSS in Inventory Location Name

Summary A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator or user with product editing permissions creates or...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the addImage and html methods. An attacker can cause excessive memory allocation and application unavailability by supplying malicious GIF files with large width or height values ...

CVE-2026-25535

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in...

PT-2025-46988

Name of the Vulnerable Software and Affected Versions SVX Portal version 2.7A Description A Reflected Cross-Site Scripting XSS issue exists in SVX Portal version 2.7A. The issue is located in the Recivers.php file, specifically through the id parameter. An attacker can exploit this to inject...

PT-2025-44276

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw related to SCSI Enclosure Services SES. Specifically, the issue involves potential out-of-bounds accesses to addl desc ptr within the ses enclosure data...

EUVD-2022-4109

Malicious code in bioql PyPI...

CVE-2024-23644

Trillium is a composable toolkit for building internet applications with async rust. In trillium-http prior to 0.3.12 and trillium-client prior to 0.5.4, insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have...

CVE-2025-26530 Reflected XSS via question bank filter

The question bank filter required additional sanitizing to prevent a reflected XSS risk...

GHSA-Q9JV-MM3R-J47R PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters

Bypass XSS sanitizer using the javascript protocol and special characters Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS vector v.4.0:...

GHSA-JMPX-686V-C3WX PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class

Unauthorized Reflected XSS in the constructor of the Downloader class Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 8.2 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS vector v.4.0: 8.3...

CVE-2022-30596

A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk...

Injection

Overview std/net is a Go standard library package std/net Affected versions of this package are vulnerable to Injection. Go Vulnerability Report: The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values...

CVE-2018-8046

The getTip method of Action Columns of Sencha Ext JS 4 to 6 before 6.6.0 is vulnerable to XSS attacks, even when passed HTML-escaped data. This framework brings no built-in XSS protection, so the developer has to ensure that data is correctly sanitized. However, the getTip method of Action Column...

phpBBShadow.txt

--------------------------------------------------------------------------- Shadow Prémod = 2.7.1 phpbbrootpath Remote File Include Vulnerability --------------------------------------------------------------------------- Discovered By Kw3RLn Romanian Security Team : hTTp://RST-CREW.net : Remote ...