Embedded Malicious Code

Overview pgserve is an Embedded PostgreSQL server with true concurrent connections - zero config, auto-provision databases Affected versions of this package are vulnerable to Embedded Malicious Code that injects a credential-harvesting script that runs via postinstall on every npm install. It...

MAL-2026-2957 Malicious code in cycode-dev (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 af035661f0964977015279eeceb2e380bf8b525463d4a099d85eab7b4ea8a71b Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

CVE-2026-4852

The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2026-2505

The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'ztaxonomyimage' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates...

CVE-2026-40321

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased ...

Cross-site scripting (XSS) via script break-out in toScript() output

What's Changed Escape HTML tags in toScript output to prevent script break-out by @freekmurze in https://github.com/spatie/schema-org/pull/242 Values containing passed as schema properties could break out of the generated block and execute injected HTML when the value was attacker-controlled...

EUVD-2026-23929

GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFTReport::Create without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a...

CVE-2026-23753 GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFTLanguage::Create without HTML sanitization and subsequently rendered unsanitized by ViewLanguage.RenderGrid. An...

CVE-2026-23752 GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can...

CVE-2026-34429

Summary: CVE-2026-34429 affects Vvveb versions prior to 1.0.8.1. A stored XSS vulnerability exists in the media upload/rename flow when MIME-type validation is bypassed and files are renamed to executable extensions. Attackers who have media upload and rename permissions can prepend a GIF89a head...

Incorrect Privilege Assignment

Overview Affected versions of this package are vulnerable to Incorrect Privilege Assignment in the memosaccesstoken function of the UpdateInstanceSetting component when manipulating the additionalStyle or additionalScript arguments. An attacker can gain unauthorized access to sensitive informatio...

EUVD-2026-23838

A weakness has been identified in usememos memos up to 0.22.1. This affects the function memosaccesstoken of the file src/App.tsx of the component UpdateInstanceSetting. This manipulation of the argument additionalStyle/additionalScript causes improper authorization. The attack is possible to be...

GHSA-GQP3-HFC3-8Q54 Memos has an Incorrect Privilege Assignment issue

A weakness has been identified in usememos memos up to 0.22.1. This affects the function memosaccesstoken of the file src/App.tsx of the component UpdateInstanceSetting. This manipulation of the argument additionalStyle/additionalScript causes improper authorization. The attack is possible to be...

MAL-2026-2949 Malicious code in pathjoin (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a94ee2403006fa62b8cfd3e6ac5a3ae32f316ab9b32fd0dc47fefdca52cf5899 During import, the code downloads and executes encrypted payload from remote location. During analysis, remote code was prepared to download the next stage...

EUVD-2026-23756

SD-330AC and AMC Manager provided by silex technology, Inc. contain a reflected cross-site scripting vulnerability. When a user logs in to the affected device and access some crafted web page, arbitrary script may be executed on the user's browser...

CVE-2026-32963

CVE-2026-32963 affects Silex SD-330AC and related AMC Manager devices; connected data indicates a client-side code execution issue (documenting as CVE-2026-32963) tied to BRIDGE:BREAK disclosures. The public write-ups describe exploitation of serial-to-IP converters and indicate that vendors (inc...

MetInfo CMS 8.1 XML Endpoint Behavior Analysis Tool

This script is a PHP-based analysis tool designed to interact with MetInfo CMS 8.1 endpoints through an XML-based interface. It uses cURL to send structured requests to a specific MetInfo module endpoint and evaluates the HTTP responses for basic fingerprinting indicators such as known keywords a...

📄 Remote Sunrise Helper for Windows 2026.14 Remote Code Execution

Remote Sunrise Helper for Windows version 2026.14 suffers from an unauthenticated remote code execution vulnerability. Exploit Title: Remote Sunrise Helper for Windows 2026.14 - Unauthenticated Remote Code Execution Date: 2026-04-20 Exploit Author: Chokri Hammedi Software:...

PT-2026-36835

Name of the Vulnerable Software and Affected Versions D-Link DIR-600L Hardware Revision B1 Description A hardcoded telnet backdoor exists where the device starts a telnet daemon at boot via the /bin/telnetd.sh script. The system uses a static username "Alphanetworks" and password "wrgn61 dlwbr...

GFI HelpDesk 安全漏洞

GFI HelpDesk is an open-source service request and ticket management system for enterprise IT support processes developed by GFI. Versions of GFI HelpDesk prior to 4.99.9 contained security vulnerabilities. These vulnerabilities stemmed from insufficient cleaning of the charset POST parameter in...