Rocket LMS 跨站脚本漏洞

Rocket LMS is an educational platform system developed by the American company Rocket, which integrates online course management and learning interaction functions. Version 1.1 of Rocket LMS contains a cross-site scripting vulnerability. This vulnerability stems from a persistent cross-site...

Moodle 跨站脚本漏洞

Moodle is an open-source e-learning software platform developed by Moodle, also known as a course management system, learning management system, or virtual learning environment. Version 4.0 of Moodle has a cross-site scripting vulnerability. This vulnerability stems from the search parameters...

OESA-2026-2270 python3 security update

Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C...

SUSE CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

CVE-2026-8021

A script injection flaw was found in the UI component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=498417031...

CVE-2026-7475

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...

CVE-2026-5341

The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stravanmrconnect shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD-2026-28540

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aalurlstatssaveaction function and a complete absence of output escaping in...

CVE-2026-7650

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) flaw in the e2pdf-download shortcode’s id attribute. Versions up to and including 1.32.17 are vulnerable due to insufficient input sanitization and output escaping of the shortcode at...

SUSE CVE-2026-7939

Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Medium...

SUSE CVE-2026-7953

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML UXSS via malicious network traffic. Chromium security severity: Medium...

SUSE CVE-2026-7958

Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML UXSS via a crafted Chrome Extension. Chromium security severity: Medium...

SUSE CVE-2026-8021

Script injection in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Low...

PT-2026-38905

Name of the Vulnerable Software and Affected Versions E2Pdf – Export Pdf Tool for WordPress versions prior to 1.32.18 Description The E2Pdf – Export Pdf Tool for WordPress plugin allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts. This occurs du...

CVE-2026-41653 BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File Exfiltration

BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8...

CVE-2026-41904

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who...

Chromium: CVE-2026-8021 Script injection in UI

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

CVE-2026-36388

PHPGurukal Hospital Management System v4.0 contains a stored XSS flaw in /hospital/hms/edit-profile.php. An authenticated patient can inject a script via the User Name field, which is stored and later rendered in the doctor interface. The vulnerability is caused by unsanitized input being stored ...

EUVD-2026-28019

Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML UXSS via a crafted Chrome Extension. Chromium security severity: Medium...

EUVD-2026-27985

Insufficient validation of untrusted input in Mobile in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to inject arbitrary scripts or HTML UXSS via a crafted Chrome Extension. Chromium security severity: Medium...