PT-2026-28298

Name of the Vulnerable Software and Affected Versions HCL Aftermarket DPC affected versions not specified Description HCL Aftermarket DPC is susceptible to a Cross Domain Script Include issue. An attacker can use external scripts to manipulate the Document Object Model DOM, potentially changing t...

CVE-2026-4826 SourceCodester Sales and Inventory System HTTP GET Parameter update_stock.php sql injection

A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /updatestock.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is...

CVE-2026-33911

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter title is reflected back in a JSON response built with jsonencode. Because the response is served with a text/html Content-Type, the browser...

CVE-2026-4825

A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown part of the file /updatesales.php of the component HTTP GET Parameter Handler. The manipulation of the argument sid results in sql injection. The attack may be launched remotely. The exploit has be...

CVE-2026-33348 OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3

OpenEMR is a free and open source electronic health records and medical practice management application. Users with the Notes - my encounters role can fill Eye Exam forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with...

MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation

Improper escaping of Tag name when deleting it in tagdelete.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Impact Cross-site scripting XSS. Patches 80990f43153167c73f11eb4b2bc7108d0c3d6b46 Workarounds Revert commit...

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the statsURL parameter in the plugin/Live/test.php endpoint. An administrator can access sensitive internal resources and clou...

GHSA-3HWV-X8G3-9QPR AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name

Summary The objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName without any path traversal sanitization. This allows an authenticated admin or an attacker via CSRF to traverse outside the plugin directory and execute the...

EUVD-2026-14492

AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name...

Cross-site Scripting (XSS)

Overview prestashop/prestashop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. Affected versions of this package are vulnerable to Cross-site Scripting XSS in unprotected template variables in the back-office. An...

EUVD-2026-15940

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

EUVD-2026-15553

NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering...

EUVD-2026-15437

A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user...

EUVD-2026-15459

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

textract is vulnerable to OS Command Injection

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

CVE-2026-1001

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attacke...

CVE-2026-1001

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attacke...

CVE-2026-20112

Cisco IOx web-based management interface in Cisco IOS XE is affected by a stored XSS vulnerability due to insufficient input validation. An attacker with valid administrative credentials could inject malicious code into specific pages, potentially executing scripts in the browser context or acces...

MAL-2026-2187 Malicious code in vision-service-python-client-internal (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ea39ef97e61556ba1ef289f438f9401ced47328bd49f096401ed4795792c8f7a Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2026-2172 Malicious code in v2-8-3 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b90faec9a57b74163b9282007ed27f9602abf0d5307115928eb4ca75d98f8c72 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...