VulnCheck KEV: CVE-2018-6000

An issue was discovered in AsusWRT before 3.0.0.4.38410007. The dovpnuploadpost function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon or enable infosvr command mode,...

WeGIA SQL注入漏洞

WeGIA is a web manager for the welfare organization developed by Nilson Lazarin. Versions of WeGIA prior to 3.6.6 contained an SQL injection vulnerability. This vulnerability stemmed from the id Produto parameter in the html/matPat/restaurarProduto.php file being directly concatenated into the SQ...

EUVD-2026-10821

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an...

EUVD-2026-10485

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the nxsfbembed shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the snapFB post meta value. This makes it...

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Name field when updating order statuses in the orders table. An attacker can execute arbitrary JavaScript code in the context of an administrator's browser by...

CVE-2026-1261

MetForm Pro

Malicious code in @web-monorepo/fetchers (npm)

Package is malware. It exfiltrates data to a suspicious domain via callback.js, triggered by a preinstall script in package.json. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3faaa666cb666785670b3a638b1f832d4492f7eb2c999f41f7bb551cde2aa86 The package...

MAL-2026-1318 Malicious code in @web-monorepo/fetchers (npm)

Package is malware. It exfiltrates data to a suspicious domain via callback.js, triggered by a preinstall script in package.json. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3faaa666cb666785670b3a638b1f832d4492f7eb2c999f41f7bb551cde2aa86 The package...

Malicious code in @augmentor/experiences (npm)

Malware detected: Collects and exfiltrates sensitive data to a suspicious webhook via a preinstall script. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4067e28e3de3f031541a3e624d8d21dc75777b65b83ab8aa4fd09bfd52038968 The package @augmentor/experiences was fou...

MAL-2026-1317 Malicious code in @augmentor/experiences (npm)

Malware detected: Collects and exfiltrates sensitive data to a suspicious webhook via a preinstall script. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4067e28e3de3f031541a3e624d8d21dc75777b65b83ab8aa4fd09bfd52038968 The package @augmentor/experiences was fou...

CVE-2026-3806

A weakness has been identified in SourceCodester/janobe Resort Reservation System 1.0. This issue affects some unknown processing of the file /roomrates.php. This manipulation of the argument q causes sql injection. The attack can be initiated remotely. The exploit has been made available to the...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the nohtml configuration option not applying to SVG files. An attacker can execute arbitrary JavaScript code in the context of the user who opens a malicious SVG by uploading a crafted SVG file containing...

Prototype Pollution

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Prototype Pollution via triggers.js when a prototype property name is used as the function name. An attacker can terminate t...

CVE-2025-70128

A Stored Cross-Site Scripting XSS vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using...

PT-2026-24417

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any...

ROS-20260310-73-0039

A vulnerability in the V8 JavaScript script handler of Google Chrome browser is related to data type conversion errors. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service using a specially crafted HTML page...

WebDAV Advanced Penetration Testing Script

This Python-based WebDAV penetration testing script tests methods available, attempts directory listing with PROPFIND, file upload with PUT, and more...

PT-2026-24200

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form...

PT-2026-24464

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.10 Description SiYuan is a personal knowledge management system susceptible to a reflected cross-site scripting XSS condition. The SVG sanitizer, SanitizeSVG, inadequately checks href attributes for the 'javascript...

SAP Business One Job Service 跨站脚本漏洞

SAP Business One Job Service is a service component of SAP's Enterprise Resource Planning ERP system for scheduling and executing tasks in the background. A cross-site scripting vulnerability exists in SAP Business One Job Service. The vulnerability stems from the lack of effective filtering and...