RHCOS 4 : OpenShift Container Platform 4.1 jenkins-2-plugins (RHSA-2019:4089)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2019:4089 advisory. - jenkins-script-security-plugin: handling of method names in method call expressions allowed attackers to execute arbitrary code in...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the /pagepreview page. An attacker can execute arbitrary JavaScript in the context of the user's browser by injecting malicious scripts. Details Cross-site scripting or XSS is a code vulnerability that occurs...

@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts

Summary The validator-mode sandbox executor src/gep/validator/sandboxExecutor.js places npm and npx in its hard executable allowlist. Because npm install and npx -y -p execute arbitrary code by design preinstall/install/postinstall lifecycle scripts and remote-package bin entries, and because...

CVE-2026-32699

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...

EUVD-2023-60566

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...

CVE-2023-54345 Frappe Framework ERPNext 13.4.0 Remote Code Execution

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...

CVE-2026-6180

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notificatio...

CVE-2026-6180 PaperCut MF: Card truncation on HP readers

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notificatio...

CVE-2026-6180

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notificatio...

CVE-2026-6180 PaperCut MF: Card truncation on HP readers

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notificatio...

CVE-2026-4803

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...

CVE-2026-6701

The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scrip...

ERPNext 代码注入漏洞

ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Version 13.4.0 of ERPNext contains a code injection vulnerability. This vulnerability stems from a sandbox escape vulnerability present in RestrictedPython. It allows authenticated user...

PT-2026-36982

Name of the Vulnerable Software and Affected Versions PaperCut MF affected versions not specified Description A race condition occurs when processing badge-swipe data from specific HP multifunction devices. Under certain network conditions involving dropped packets and out-of-order sequence...

FacturaScripts 安全漏洞

FacturaScripts is an open-source ERP software developed by Carlos Garcia, a Spanish developer. Versions of FacturaScripts prior to 2025.92 contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation of the nick parameter in the POST request of the EditUser...

PT-2026-36960

Name of the Vulnerable Software and Affected Versions Publish 2 Ping.fm plugin for WordPress versions prior to 1.2 Description Cross-Site Request Forgery occurs due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This allows unauthenticated...

Malicious code in lazyhtml-scripts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45abfd9582509b7e6ded4a7ce678a25aef82365186bba18330d6f76f1cf3c5ea The package lazyhtml-scripts was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-3331 Malicious code in lazyhtml-scripts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45abfd9582509b7e6ded4a7ce678a25aef82365186bba18330d6f76f1cf3c5ea The package lazyhtml-scripts was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-43616

Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive...

EUVD-2026-27081

Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive...