CVE-2026-40451

DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user...

EUVD-2026-24605

DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user...

PT-2026-34249

Name of the Vulnerable Software and Affected Versions DeepL Chrome browser extension versions 1.22.0 through 1.23.0 Description A cross-site scripting flaw allows an attacker to execute arbitrary script in a user's browser and inject malicious HTML into web pages viewed by the user. Recommendatio...

PT-2026-34549

Name of the Vulnerable Software and Affected Versions Python affected versions not specified Description The js output function in http.cookies.Morsel returns an inline snippet that only escapes double quotes for JavaScript string context. It fails to neutralize the HTML parser-sensitive sequence...

PT-2026-34336

A flaw was found in InstructLab. The linux train.py script hardcodes trust remote code=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious...

Frappe 跨站脚本漏洞

Frappe is a web development framework based on Python and Mariadb, with integrated front-end pages, developed by the Indian company Frappe. Version 16.10.10 of Frappe contains a cross-site scripting vulnerability. This vulnerability stems from special tag values stored in user tags that are not...

DeepL for Chrome 跨站脚本漏洞

DeepL for Chrome is an open-source translation extension for the Chrome browser developed by DeepL. Versions 1.22.0 to 1.23.0 of DeepL for Chrome contain a cross-site scripting vulnerability. This vulnerability allows attackers to execute arbitrary scripts in the user’s browser and inject malicio...

PT-2026-34540

Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript executi...

PT-2026-34608

Name of the Vulnerable Software and Affected Versions Marko affected versions not specified Description When dynamic text is interpolated into or tags, the runtime fails to prevent tag breakout if the closing tag uses non-lowercase casing. This occurs because the system uses case-sensitive regula...

Linux Distros Unpatched Vulnerability : CVE-2026-35377

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S split-string option. In GN...

PT-2026-34513

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S split-string option. In GNU env, backslashes within single quotes are treated literally with the exceptions of and '. However, the uutils implementation incorrectl...

Red Hat Enterprise Linux AI 安全漏洞

Red Hat Enterprise Linux AI is a Linux distribution created by the American company Red Hat for generative AI. Red Hat Enterprise Linux AI RHEL AI 3 has a security vulnerability. This vulnerability stems from the linuxtrain.py script, which loads models from HuggingFace by hardcoding...

PT-2026-34308

Name of the Vulnerable Software and Affected Versions Simple Random Posts Shortcode versions prior to 0.4 Description The Simple Random Posts Shortcode plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with contributor-level access or higher can inject...

DNG File Generator with Malformed Metadata

This Python script generates a custom DNG Digital Negative image file by manually constructing TIFF/DNG structures, including headers, Image File Directories IFDs, and metadata tags...

PT-2026-34465

ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when t...

PT-2026-34305

Name of the Vulnerable Software and Affected Versions Buzz Comments versions prior to 0.9.5 Description Insufficient input sanitization and output escaping in the 'Custom Buzz Avatar' setting, specifically the buzz comments avatar image variable, allows authenticated attackers with...

WordPress plugin HTTP Headers 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. Versions of...

CVE-2026-40926

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and...

CVE-2026-40926 WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and...

CVE-2026-40926

WWBN AVideo