CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise

Summary A critical Stored Cross-Site Scripting Stored XSS vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript cod...

GHSA-X7WH-G25G-53VG CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Blog Post Content Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Description The application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker...

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized input in the Social Media Management configuration fields. An attacker can execute arbitrary JavaScript in the browser context of ...

EUVD-2026-17945

A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with administrative privileges to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could...

CVE-2026-20041

A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery SSRF attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attack...

CVE-2026-20089

CVE-2026-20089 affects the web-based management interface of Cisco IMC. It is a stored XSS vulnerability caused by insufficient input validation. An authenticated administrator can entice a user to click a crafted link, enabling the attacker to execute arbitrary script code in the user’s browser ...

CVE-2026-20041 Cisco Nexus Dashboard Server Side Request Forgery Vulnerability

A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery SSRF attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attack...

CVE-2026-20041 Cisco Nexus Dashboard Server Side Request Forgery Vulnerability

A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery SSRF attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attack...

CVE-2026-20041

The CVE-2026-20041 entry concerns Cisco Nexus Dashboard and Nexus Dashboard Insights with a server-side request forgery (SSRF) vulnerability due to improper input validation in specific HTTP requests. The flaw could allow an attacker to persuade an authenticated user of the device management inte...

CVE-2025-10551

A Stored Cross-site Scripting XSS vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session...

GHSA-5724-X3RH-5QQQ YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities

Summary Multiple reflected Cross-site Scripting XSS vulnerabilities across both authenticated and unauthenticated portions of the application. These findings present a significant security risk, as they can be leveraged to execute arbitrary JavaScript in a victim’s browser under various contexts...

PT-2026-29555

Name of the Vulnerable Software and Affected Versions Cisco IMC affected versions not specified Description A flaw exists in the web-based management interface of Cisco IMC that may allow a remote attacker with administrative privileges to perform a stored Cross-Site Scripting XSS attack against ...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the destination parameter rendered on the challenge page using text/template. An attacker can execute arbitrary JavaScript in the context of the victim's browser by supplying a crafted value that breaks out ...

GHSA-WWRJ-437C-PPQ4 Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8g75-q649-6pv6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are no...

CVE-2026-32921

OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content...

CVE-2026-32921

OpenClaw CVE-2026-32921 affects OpenClaw prior to version 2026.3.8. The vulnerability is an approval bypass in system.run where mutable script operands are not bound across the approval and execution phases. An attacker who gains approval for script execution can modify the approved script file b...

CVE-2025-10553

A Stored Cross-site Scripting XSS vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session...

HCL Aftermarket DPC File Upload Vulnerability

HCL Aftermarket DPC is a digital spare parts and aftermarket management platform for HCL India. HCL Aftermarket DPC suffers from a file upload vulnerability, which stems from the application not strictly verifying or filtering user uploaded files, and can be exploited by an attacker to upload and...

MAL-2026-2298 Malicious code in hiveos-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 6d040e58dddde324da836a19a41eb5c65698ef869ed3e534f662136f1fb48440 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

EUVD-2026-17046

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life EOL, are affected by the vulnerability as well...