CVE-2026-5103

A weakness has been identified in Totolink A3300R 17.0.0cu.557b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes command injection. The attack is possible to be carried out remotely. The exploit has been made...

Malicious Package

Overview plain-crypto-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and the author of this...

Embedded Malicious Code

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform remote access trojan RAT and whose content was removed from the official package manager. A malicious actor...

CVE-2026-4794 Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF

Multiple cross-site scripting XSS vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the...

PaperCut NG/MF 安全漏洞

PaperCut NG/MF is a printing management system developed by PaperCut Corporation. Versions of PaperCut NG/MF prior to 25.0.10 contained security vulnerabilities. These vulnerabilities stemmed from cross-site scripting vulnerabilities in multiple UI fields, which could allow for the injection of...

PT-2026-29305

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted...

Dolibarr 安全漏洞

Dolibarr is an open-source application developed by Dolibarr developers. It helps manage activities within user organizations. Dolibarr versions 22.0.4 and earlier contained security vulnerabilities. These vulnerabilities stemmed from a local file inclusion vulnerability in the core AJAX...

PT-2026-29363

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description AVideo is an open source video platform. The installation script, install/deleteSystemdPrivate.php, contains a PHP operator precedence bug in its command-line interface CLI-only access guard. The guar...

Terrapack TkWebCoreNG File Upload Endpoint Audit Tool

This Python script is a simple security audit tool designed to test the file upload interface of applications using TkWebCoreNG. It does not actual exploit anything...

WordPress plugin Ibtana – WordPress Website Builder 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

WWBN AVideo 跨站请求伪造漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the lack of CSRF token validation on the objects/emailAllUsers.json.php endpoint, whic...

HCL Aftermarket DPC File Upload Vulnerability

HCL Aftermarket DPC is a digital spare parts and aftermarket management platform for HCL India. HCL Aftermarket DPC suffers from a file upload vulnerability, which stems from the application not strictly verifying or filtering user uploaded files, and can be exploited by an attacker to upload and...

PT-2026-29229

OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content...

EUVD-2026-17208

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0...

CVE-2026-32275 Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0...

CVE-2026-32275 Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0...

EUVD-2026-17096

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the addcategory.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HT...

EUVD-2026-17099

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the addsupplier.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HT...

AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page

Summary The YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the framework's input filter lists defined in security.php, so it passes through...

CVE-2026-26352

Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPNIP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes whe...