Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...

Improper Encoding or Escaping of Output

Overview fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the toSVG and getSvgStyles/getSvgSpanStyles paths in the gradient, object, and text SVG...

Malicious code in commons-ui-styles (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9fb701d18bde61d1dc783f0575a4d83bc0eba2653bd0832d0fc26bc9e85b48 [email protected] is an empty placeholder package index.js exports , description/author blank, version bumped to 99.9.1 — the classic...

MAL-2026-5437 Malicious code in commons-ui-styles (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9fb701d18bde61d1dc783f0575a4d83bc0eba2653bd0832d0fc26bc9e85b48 [email protected] is an empty placeholder package index.js exports , description/author blank, version bumped to 99.9.1 — the classic...

CVE-2026-6703

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticat...

CVE-2026-11156

Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...

Exploring the Connection between Coding Habits and Cognitive Styles in Malware Developers

Malware research primarily studies the results, the methods, and the impact. Even from an offensive security perspective, what is examined is the method, not the development strategy of the offender. This study investigates the behavioral signatures and coding patterns embedded in the malware...

SUSE CVE-2026-41159

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

CVE-2026-48843

Roundcube Webmail 1.6.x (1.6.14–1.6.16) and 1.7.x before 1.7.1 expose an issue where insufficient CSS sanitization in HTML email messages can cause SSRF or information disclosure, for example via stylesheet links pointing to local network hosts. This stems from an insufficient fix for CVE-2026-35...

CVE-2026-6378

The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/maxi-blocks/v1.0/style-card REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the scstyles parameter. This makes it possible...

Astra Linux – Vulnerability in Firefox, Thunderbird

When saving a page as a PDF, certain font styles might lead to a potential “use-after-free” crash. This vulnerability affects Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11...

CVE-2026-6378

The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/maxi-blocks/v1.0/style-card REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the scstyles parameter. This makes it possible...

CVE-2026-6703

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticat...

Malicious code in @cash-web/no-hardcoded-font-styles (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de4c59cdf3bb5203f5c7721d9180aa09a481a9dd1a6f6aaaf9ca43db40f07287 The package @cash-web/no-hardcoded-font-styles was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2580 Malicious code in @cash-web/no-hardcoded-font-styles (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de4c59cdf3bb5203f5c7721d9180aa09a481a9dd1a6f6aaaf9ca43db40f07287 The package @cash-web/no-hardcoded-font-styles was found to contain malicious code. Source: ghsa-malware...

CVE-2026-39838 ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements. The issue has been remediated on the master branch, and in the release branches for MediaWiki...

CVE-2026-39838 ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements. The issue has been remediated on the master branch, and in the release branches for MediaWiki...

CVE-2026-39838

CVE-2026-39838 affects the Wikimedia Foundation MediaWiki ProofreadPage extension . The flaw is due to improper neutralization of input during web page generation , enabling cross-site scripting (XSS) targeting Non-Script Elements. The CVE record notes the issue is tied to the ProofreadPage’s han...

CVE-2026-35046

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean sanitizer explicitly whitelists the tag, causing the backend to...

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability

Synacor Zimbra Collaboration Suite ZCS contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets CSS @import directives in email HTML...