SUSE CVE-2026-27136

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

SUSE CVE-2026-42502

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

EUVD-2026-32093

The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on the shortcode's 'width' and 'height' attributes in the athnthumbnail...

CVE-2026-27136

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

CVE-2026-42502

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

DEBIAN-CVE-2026-42502

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

CVE-2026-42502

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

UBUNTU-CVE-2026-27136

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

Unity Linux 20.1060e / 20.1070e Security Update: nodejs-underscore (UTSA-2026-016621)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016621 advisory. The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function,...

bug-bounty-reports

Bug Bounty Reports — Josef Basner Sanitized, redacted, resp...

CVE-2026-5364 Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the...

CLSA-2026-1776687226 Fix CVE(s): CVE-2024-52005

SECURITY UPDATE: ANSI escape sequence injection via sideband - debian/patches/CVE-2024-52005.patch: add strbufaddsanitized to mask control characters in sideband output in sideband.c. - CVE-2024-52005...

GHSA-2943-CRP8-38XX goshs is Missing Write Protection for Parametric Data Values

Summary The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. Details Here is the issue: go // helper.go:155-215 func cmdFileroot string, r sftp.Request, ip string, sftpServer SFTPServer error fullPath...

CVE-2026-40188 goshs is Missing Write Protection for Parametric Data Values

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4...

Desktop Window Manager Core Library 10.0.10240.0 - Privilege Escalation

Title: Desktop Window Manager Core Library 10.0.10240.0 — Privilege Escalation Heap-based Buffer Overflow sanitized evidence Author: nu11secur1ty Date: 2025-11-04 Vendor: Microsoft Software: Windows Desktop Window Manager DWM — DWM Core Library affected desktop/server releases as per vendor...

EUVD-2026-17101

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the addstock.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML...

PT-2026-29032

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view supplier.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script o...

CVE-2026-30559

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the addsales.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML...

PT-2026-29042

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add supplier.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or...

CVE-2026-30569

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the viewstockavailability.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web...