CVE-2026-4595

A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/updates6.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly...

WordPress Tour & Activity Operator Plugin for TourCMS plugin <= 1.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Tour & Activity Operator Plugin for TourCMS versions = 1.7.0...

CVE-2026-33681 AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName without any path traversal sanitization. This allows an authenticated admin or a...

CVE-2026-33681 AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName without any path traversal sanitization. This allows an authenticated admin or a...

CVE-2026-4595

A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/updates6.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly...

CVE-2026-33647

WWBN AVideo (versions up to 26.0) is affected by a RCE in ImageGallery::saveFile(), where MIME-type validation via finfo passes a polyglot file with a .php extension because the saved filename extension is derived from the user-provided name without an allowlist. An attacker can upload a file wit...

GO-2026-4765 mo has a XSS via inline SVG script tags in Markdown rendering in github.com/k1LoW/mo

mo has a XSS via inline SVG script tags in Markdown rendering in github.com/k1LoW/mo...

CVE-2026-4581 code-projects Simple Laundry System Parameters checklogin.php sql injection

A weakness has been identified in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checklogin.php of the component Parameters Handler. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The explo...

CVE-2026-4581

A weakness has been identified in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checklogin.php of the component Parameters Handler. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The explo...

EUVD-2026-14387

A vulnerability was determined in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/updates3.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicl...

Cross-site Scripting (XSS)

@angular/compiler is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to an incomplete security schema in the template compiler that fails to properly classify certain URL attributes, which allows an attacker to bypass sanitization and inject malicious scripts...

CVE-2026-4579

A vulnerability was identified in code-projects Simple Laundry System 1.0. This affects an unknown function of the file /viewdetail.php of the component Parameters Handler. The manipulation of the argument serviceId leads to sql injection. Remote exploitation of the attack is possible. The exploi...

Cross-Site Scripting (XSS)

mayanedms is vulnerable to cross-site scripting XSS. The vulnerability is due to improper handling of input in an unknown function within the /authentication/ endpoint, which allows a remote attacker to inject and execute malicious scripts...

CVE-2026-33230

A flaw was found in NLTK Natural Language Toolkit, a suite of open source Python modules for Natural Language Processing. The nltk.app.wordnetapp component contains a reflected cross-site scripting XSS vulnerability. A remote attacker can exploit this by crafting a malicious URL that injects...

EUVD-2026-14367

A flaw has been found in code-projects Exam Form Submission 1.0. This issue affects some unknown processing of the file /admin/updates2.php. This manipulation of the argument sname causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used...

CVE-2026-4573 SourceCodester Simple E-learning System HTTP GET Parameter delete_post.php sql injection

A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/formhandlers/deletepost.php of the component HTTP GET Parameter Handler. The manipulation of the argument postid leads to sql injection. It is possible to...

DNS Rebinding Detection Sensor

This Python script implements a lightweight DNS Rebinding detection sensor designed to identify suspicious DNS resolution behavior in real time...

PT-2026-27235

OpenClaw before 2026.3.2 contains a semantic drift vulnerability in node system.run approval hardening that rewrites wrapper command argv, allowing execution of unintended local scripts. Attackers who can influence wrapper argv and place malicious files in the approved working directory can execu...

PT-2026-27041

Name of the Vulnerable Software and Affected Versions SourceCodester Sales and Inventory System version 1.0 Description A SQL injection issue exists in SourceCodester Sales and Inventory System version 1.0. The issue is located in the HTTP GET Request Handler component, specifically within the...

PT-2026-27221

OpenClaw versions prior to 2026.2.18 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written unquoted to gateway.cmd, allowing shell metacharacters to break out of assignment context. Attackers can inject arbitrary commands...