CVE-2026-27136

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

CVE-2026-42502

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

UBUNTU-CVE-2026-27136

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

PT-2026-25960

Name of the Vulnerable Software and Affected Versions GLPI Inventory Plugin versions prior to 1.6.6 Description The GLPI Inventory Plugin manages network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to version 1.6.6, unsanitized user input could lead to an...

CVE-2016-20036

Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like...

EUVD-2023-47675

Malicious code in bioql PyPI...

CVE-2025-22242

Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pubret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by...

CVE-2025-22242 CVE-2025-22242 salt advisory

Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pubret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by...

PT-2025-25397 · Unknown +1 · Salt-Master +1

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A denial of service issue exists due to a vulnerability in the Master's pub ret method, which is exposed to all minions. The un-sanitized input value jid is used to construct a path that is...

express: Improper Input Handling in Express Redirects

A flaw was found in Express. This vulnerability allows untrusted code execution via passing untrusted user input to response.redirect, even if the input is sanitized...

CVE-2024-20461 Cisco ATA 190 Series Analog Telephone Adapter Firmware Command Injection Vulnerability

A vulnerability in the CLI of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, local attacker with high privileges to execute arbitrary commands as the root user. This vulnerability exists because CLI input is not properly sanitized. An attacker could exploit...

CVE-2024-20461 Cisco ATA 190 Series Analog Telephone Adapter Firmware Command Injection Vulnerability

A vulnerability in the CLI of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, local attacker with high privileges to execute arbitrary commands as the root user. This vulnerability exists because CLI input is not properly sanitized. An attacker could exploit...

CVE-2024-20461

CVE-2024-20461 affects Cisco ATA 190 Series Analog Telephone Adapter firmware. The vulnerability stems from insufficient sanitization of CLI input, allowing an authenticated, local attacker with high privileges to execute arbitrary commands as root and potentially read/write the underlying OS. Co...

CVE-2024-37156 TokenController formName not sanitized in hidden input

The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3...

CVE-2023-29049

Open-Xchange App Suite frontend 7.10.6-rev33 is affected by CVE-2023-29049, a Cross-Site Scripting vulnerability in the portal’s upsell widget that could allow injection of arbitrary script code. The issue stems from unsanitized user input in the widget, and has been mitigated by sanitizing input...

Cross site scripting

A vulnerability exists in the webserver that affects the RTU500 series product versions listed below. A malicious actor could perform cross-site scripting on the webserver due to user input being improperly sanitized...

CVE-2023-43256

A path traversal in Gladys Assistant v4.26.1 and below allows authenticated attackers to extract sensitive files in the host machine by exploiting a non-sanitized user input...

CVE-2023-21412 Non-sanitized user input could lead to SQL injections in AXIS License Plate Verifier

User provided input is not sanitized on the AXIS License Plate Verifier specific “search.cgi” allowing for SQL injections...

CVE-2023-21410 Non-sanitized user input could lead to arbitrary code execution in AXIS License Plate Verifier

User provided input is not sanitized on the AXIS License Plate Verifier specific “api.cgi” allowing for arbitrary code execution...

GHSA-H42J-MRMP-9369 git-commit-info vulnerable to Command Injection

Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject arguments to the git...