PT-2026-26279

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may allow the attacker steal cookie-based authentication credential...

Cross-Site Scripting (XSS)

code.gitea.io/gitea is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of user input in the search input box used for creating tags and branches, where v-html is used instead of v-text, which allows an attacker to inject and execute malicious scripts in the...

CVE-2026-31938 jsPDF has HTML Injection in New Window paths

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

Improper Encoding or Escaping of Output

Overview jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the createAnnotation method, whose color parameter can be injected with script objects. An attacker can inject PDF objects as freetext...

EUVD-2015-9411

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed by...

CVE-2015-20114

Next Click Ventures RealtyScript 4.0.2 contains a cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious input through multiple parameters that are not properly sanitized. Attackers can craft requests with injected script payloads...

RealtyScript 跨站脚本漏洞

RealtyScript is a real estate website management system developed by RealtyScript Corporation. Version 4.0.2 of RealtyScript contains a cross-site scripting vulnerability. This vulnerability stems from improper cleaning of multiple parameters, which may allow attackers to inject malicious input a...

PT-2026-25717

Next Click Ventures RealtyScript 4.0.2 contains a cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious input through multiple parameters that are not properly sanitized. Attackers can craft requests with injected script payloads...

Cisco Secure Firewall Management Center Software Authentication Bypass (cisco-sa-onprem-fmc-authbypass-5JPp45V2)

A vulnerability in the web interface of Cisco Secure Firewall Management Center FMC Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system. This vulnerability is due ...

CVE-2026-32139

DataEase is an open-source data visualization tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. Backend validation only checks that the XML is parseable and that the root node is svg, and does not sanitize active content (e.g., onload/onerror event ha...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through the system.run approval flow. An attacker can execute unauthorized or modified scripts by obtaining approval for a script execution...

Vulnerabilities fixed in Adobe Experience Manager

Adobe has fixed vulnerabilities in Adobe Experience Manager versions 6.5.23 and earlier. The vulnerability is in the way input in form fields is sanitized. This allows attackers to insert malicious JavaScript code. When other users open the affected content, the injected scripts are executed in...

CVE-2026-32117

The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign / window.open with no scheme validation. An attacker with dashboard Editor privileges can set the link t...

CVE-2026-32124

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions codetext that are rendered in the front end e.g. DataTables without HTML escaping. If an administrator or user...

CVE-2026-20116

A vulnerability in the web-based management interface of Cisco Finesse, Cisco Packaged Contact Center Enterprise Packaged CCE, Cisco Unified Contact Center Enterprise Unified CCE, Cisco Unified Contact Center Express Unified CCX, and Cisco Unified Intelligence Center could allow an unauthenticate...

EUVD-2026-10958

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...

CVE-2026-27264

Rejected reason: This CVE ID was issued in error by its CVE Numbering Authority...

CVE-2026-27261

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2026-27229

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...

EUVD-2026-10977

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...