ALPINE-CVE-2026-5222

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the...

PT-2026-43024

Name of the Vulnerable Software and Affected Versions Cargo versions 1.68 through 1.95 Description Cargo incorrectly normalized URLs of third-party registries using the sparse index protocol. In scenarios where a hosting provider allows multiple registries to be hosted with arbitrary names within...

PT-2024-38169 · Hostgator · Hostgator

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: A vulnerability in multi-tenant hosting allows an authenticated sender to spoof the identity of a shared, hosted domain, thus bypassing security measure...

PT-2024-40480 · Packagist · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: No specific software or versions mentioned. Description: The issue arises from the LoginForm calling the disableSecurityToken function, which leads to a "shared host domain" vulnerability. This vulnerability is related to the way security...

Shopify: [h1-2102] Stored XSS in product description via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]

This is most likely going to be a duplicate, so I'll keep it short. A stored cross site scripting vulnerability exists at handshake-web-internal.shopifycloud.com through the product description field. Recruirements A shop with the Handshake plugin enabled and set-up Reproduction steps 1. Add a...