CVE-2026-5742

The CVE-2026-5742 entry concerns the WordPress UsersWP plugin (versions up to 1.2.60). The vulnerability is a Stored Cross-Site Scripting (XSS) flaw caused by insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets...

CVE-2026-5357 Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdmmembers' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute...

CVE-2026-4429

CVE-2026-4429 concerns the WordPress plugin OSM – OpenStreetMap (vulnerable up to 6.1.15). The flaw is a Stored Cross‑Site Scripting via the [osm_map_v3] shortcode attributes, specifically marker_name and file_color_list , due to insufficient input sanitization and output escaping. With authentic...

EUVD-2026-20809

A vulnerability was detected in D-Link DIR-645 1.01/1.02/1.03. Impacted is the function hedwigcgimain of the file /cgi-bin/hedwig.cgi. The manipulation results in stack-based buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. This vulnerability only...

EUVD-2026-20723

Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Low...

EUVD-2026-20783

The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

TOTOLINK A7100RU 操作系统命令注入漏洞

The TOTOLINK A7100RU is a wireless router produced by TOTOLINK, a Chinese company. The Totolink A7100RU 7.4cu.2313b20191024 version has a vulnerability related to operating system command injection. This vulnerability stems from an error in the setWiFiEasyCfg function in the /cgi-bin/cstecgi.cgi...

PT-2026-31591

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024 Description A weakness exists in the Totolink A7100RU router. The setIptvCfg function within the /cgi-bin/cstecgi.cgi file, part of the CGI Handler component, is susceptible to OS command injection...

Hydrosystem Control System 安全漏洞

Hydrosystem Control System is an industrial water treatment and fluid control monitoring system developed by the American company Hydrosystem. Versions of Hydrosystem Control System prior to 9.8.5 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforcement of...

PT-2026-31590

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024 Description A security flaw exists in the CGI Handler component of Totolink A7100RU 7.4cu.2313 b20191024. The setUPnPCfg function within the /cgi-bin/cstecgi.cgi file is susceptible to os command...

PraisonAI 参数注入漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.128 contained a parameter injection vulnerability. This vulnerability stemmed from the deploy.py script, which did not validate the values containing commas when constructin...

PT-2026-31738

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024 Description A weakness exists in Totolink A7100RU version 7.4cu.2313 b20191024. The setWiFiBasicCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component is affected...

CVE-2025-45806

A cross-site scripting XSS vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

OpenUI Cross-Site Scripting Vulnerability

OpenUI is an open source UI program. A cross-site scripting vulnerability exists in OpenUI 1.0 and earlier versions. The vulnerability stems from the lack of effective filtering and escaping of user-supplied data in the file frontend/public/annotator/index.html, which can be exploited by an...

PT-2026-31643

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS7 signature, the code copies the digest value from a parsed...

PT-2026-31601

Name of the Vulnerable Software and Affected Versions Hydrosystem Control System versions prior to 9.8.5 Description Hydrosystem Control System is susceptible to SQL Injection across numerous scripts and input parameters. The absence of protective measures allows an authenticated attacker to inje...

SUSE CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP inets modules allows unauthenticated access to CGI scripts protected by directory rules when served via scriptalias. When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access controls agains...

CVE-2026-5812 SourceCodester Pharmacy Product Management System POST Parameter add-sales.php logic error

A security flaw has been discovered in SourceCodester Pharmacy Product Management System 1.0. This affects an unknown part of the file add-sales.php of the component POST Parameter Handler. Performing a manipulation of the argument txtqty results in business logic errors. It is possible to initia...

DEBIAN-CVE-2026-5899

Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5899

Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Low...