CVE-2026-2924

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-2949 Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Box widget in versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-34779

CVE-2026-34779 affects Electron on macOS prior to patches 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8. The vulnerability arises in the AppleScript fallback path used by app.moveToApplicationsFolder(), which failed to properly handle certain characters in the application bundle path. Under specific ...

WordPress plugin ElementsKit Elementor Addons and Templates 跨站脚本漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in the WordPress plugin ElementsKit Elementor Addon...

CVE-2026-34848

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0...

CVE-2026-34725

DbGate (multi-platform: web and Electron desktop) contains a stored XSS in the icon rendering path impacting versions 7.0.0–7.1.5. Attacker-controlled SVG icons stored as applicationIcon are rendered without sanitization, enabling script execution in another user’s browser (web UI) and, in Electr...

EUVD-2026-18306

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the mimetypes parameter to /cgi-bin/proxypolicy.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

EUVD-2026-18298

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the remark parameter to /cgi-bin/outgoingfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

CVE-2026-34822

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the newcertname parameter to /manage/ca/certificate/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

PT-2026-29770

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the remark parameter to /cgi-bin/vpnfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

CVE-2026-34739

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTM...

CVE-2026-2480

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'maxwidth' attribute of the subox shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting Stored XSS vulnerability exists in the backend user management functionality. The application fail...

CVE-2026-34563

CVE-2026-34563 (CI4MS) is a vulnerability in the CodeIgniter 4–based CMS skeleton where, before version 0.31.0.0, user input is not properly sanitized during backup uploads and backup metadata processing. An attacker can inject a malicious JavaScript payload into the backup filename via an xss.sq...

Securing the open source supply chain across GitHub

Over the past year, a new pattern has emerged in attacks on the open source supply chain. Attackers are focusing on exfiltrating secrets like API keys in order to both publish malicious packages from an attacker-controlled machine as well as gain access to more projects in order to propagate the...

EUVD-2026-17899

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or...

CVE-2026-30526

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or...

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in the WebView tag in Google Chrome prior to version 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. Chromium security severity: High...

SourceCodester Zoo Management System 安全漏洞

The SourceCodester Zoo Management System is an open-source zoo management system developed by SourceCodester. Version 1.0 of the SourceCodester Zoo Management System contains a security vulnerability. This vulnerability stems from a reflection cross-site scripting vulnerability in the msg paramet...

Xenforo 安全漏洞

Xenforo is a forum software developed by the Xenforo company. Versions of XenForo prior to 2.3.10 and 2.2.19 contained security vulnerabilities. These vulnerabilities stemmed from the use of structured text references that allowed for cross-site scripting attacks, potentially allowing attackers t...