CVE-2026-33172 Statamic has Stored XSS via SVG Sanitization Bypass

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the...

CVE-2026-33172 Statamic has Stored XSS via SVG Sanitization Bypass

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the...

Malicious code in efghr-honeybee-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e77e2d0088390e5dc421f70a65ade331bfbf554afcc9cc42362098d0ed130692 During installation, package attempts to modify LLM configuration files to provide a backdoor instruction for further control over an AI agent. --- Category:...

CVE-2026-4497

A vulnerability was determined in Totolink WA300 5.2cu.7112B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and...

CVE-2026-4497 Totolink WA300 cstecgi.cgi recvUpgradeNewFw os command injection

A vulnerability was determined in Totolink WA300 5.2cu.7112B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and...

CVE-2026-4497

CVE-2026-4497 (Totolink WA300) affects the /cgi-bin/cstecgi.cgi function recvUpgradeNewFw. Manipulation enables os command injection, with remote exploitation and a publicly disclosed exploit. Documents consistently identify the affected device/version (Totolink WA300 5.2cu.7112_B20190227) and th...

EUVD-2026-13690

Zimbra Collaboration Suite ZCS 10.0 and 10.1 contains a reflected cross-site scripting XSS vulnerability in the Classic Webmail REST interface /h/rest. The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafte...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Range or Values summarizer, which renders raw database values without escaping HTML. An attacker can execute arbitrary HTML or JavaScript in the context of affected users by injecting malicious content...

Malicious code in init2winit (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7eb9b716534151a8d16432102f52af1e6f61f9701b86efba4294cdc0e18ceaea Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in airio (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d6edae69303a2c992df68a1743104255c7de6aa8beba5f7b37eb9b91707789d9 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

CVE-2026-33134 WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id_produto` parameter

WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurarproduto.php endpoint. The vulnerability allows an authenticated attacker to inject arbitrary SQL commands via the idproduto GET parameter,...

Malicious code in cloud-datasets (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7cbbef34e9c8a9e6db79ffb59dde86dafe9734166f201aae8a5d1837ac262fc0 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

CVE-2026-33080

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers Range, Values that render raw database values without escaping HTML. If there is a lack of validation for the data in the...

CVE-2026-3550

CVE-2026-3550 – RockPress (WordPress) vulnerability : RockPress

CVE-2026-3550 RockPress <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions

The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions rockpressimport, rockpressimportstatus, rockpresslastimport, rockpressresetimport, and rockpresscheckservices...

CVE-2026-33067

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when an...

CVE-2026-33067 SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when an...

Directory Traversal

Overview org.springframework:spring-webflux is a Spring Framework module that contains support for reactive HTTP and WebSocket clients as well as for reactive server web applications including REST, HTML browser, and WebSocket style interactions. Affected versions of this package are vulnerable t...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Script View Templates. An attacker can access sensitive file contents outside of the intended directories by leveraging the Java scripting engine in template rendering. Note: This is only exploitable if the...

Directory Traversal

Overview org.springframework:spring-webmvc is a package that provides Model-View-Controller MVC architecture and ready components that can be used to develop flexible and loosely coupled web applications. Affected versions of this package are vulnerable to Directory Traversal via the Script View...