PT-2026-41694

Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.19.0 Description The unauthenticated 'GET /api/app-images/logo' endpoint reflects a user-supplied color query parameter into the body of an SVG document using strings.ReplaceAll without proper escaping. This...

EUVD-2026-26003

KDE Dolphin before 25.12.3 allows applications in a Flatpak or with AppArmor confinement to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or...

EUVD-2026-16553

WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user...

PT-2026-5043

Name of the Vulnerable Software and Affected Versions DNN formerly DotNetNuke versions prior to 9.13.10 DNN formerly DotNetNuke versions prior to 10.2.0 Description DNN formerly DotNetNuke is an open-source web content management platform. Prior to versions 9.13.10 and 10.2.0, the module title...

EUVD-2026-3775

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these...

PT-2025-51217

Name of the Vulnerable Software and Affected Versions Wekan versions prior to 18.16 Description An issue exists in Wekan, an open-source kanban board system, where uploaded attachments can be served with a Content-Type controlled by an attacker specifically, text/html. This allows for the executi...

EUVD-2020-27434

Malware in sbrugna...

EUVD-2025-23247

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2022-29911

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user- activation could lead to script execution without allow-scripts being...

PT-2025-31481 · Powercms · Powercms

Name of the Vulnerable Software and Affected Versions: PowerCMS affected versions not specified Description: Multiple versions of PowerCMS allow unrestricted upload of dangerous files. If a product administrator accesses a malicious file uploaded by a user, an arbitrary script may be executed in...

CVE-2025-6512

On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with administrator rights...

OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer

XSS via .py file containing script tag interpreted as HTML Summary A vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in tags may be interpreted and executed as HTML in certain modes. This leads to ...

CVE-2025-49580 XWiki allows privilege escalation through link refactoring

XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never be...

CVE-2021-41790

An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment...

PT-2025-19751 · Dbsyncer · Dbsyncer

Name of the Vulnerable Software and Affected Versions: DBSyncer version 2.0.6 Description: A stored cross-site scripting XSS issue in the Edit Profile feature allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Nickname parameter. Recommendations: For...

OESA-2024-1856 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: Substitution encoding issue in modrewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or...

PT-2024-21392 · Zhimengzhe · Ibarn

Name of the Vulnerable Software and Affected Versions: zhimengzhe iBarn version 1.5 Description: A reflected cross-site scripting XSS vulnerability allows attackers to inject malicious JavaScript into the web browser of a victim via the search parameter in "offer.php". This issue enables attacker...

CVE-2023-50339

Stored cross-site scripting vulnerability exists in the User Management /admin/users page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product...

PT-2023-31271 · Growi · Growi

Name of the Vulnerable Software and Affected Versions: GROWI versions prior to v6.0.0 Description: A stored cross-site scripting issue exists in the event handlers of the pre tags. If exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the...

PT-2023-25687 · 3S Smart Software Solutions · Codesys Development System +1

Name of the Vulnerable Software and Affected Versions: CODESYS Development System versions 3.5.9.0 through 3.5.17.0 CODESYS Scripting versions 4.0.0.0 through 4.1.0.0 Description: The issue is related to unsafe directory permissions in the affected software. This could allow an attacker with loca...