CVE-2026-5500

wolfSSL's wcPKCS7DecodeAuthEnvelopedData does not properly sanitize the AES-GCM authentication tag length received and has no lower bounds check. A man-in-the-middle can therefore truncate the mac field from 16 bytes to 1 byte, reducing the tag check from 2⁻¹²⁸ to 2⁻⁸...

Linux Distros Unpatched Vulnerability : CVE-2026-8796

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srldecoder.c, srlreadobject and srlreadhash...

CVE-2026-45017

CVE-2026-45017 affects the Python Liquid engine. Before 2.2.0, FileSystemLoader and CachingFileSystemLoader fail to guard against reading files outside the search path when given absolute paths, enabling a malicious template author to load and render arbitrary files via {% include %} and {% rende...

CVE-2026-39823

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS...

Cross-site Scripting (XSS)

Overview org.webjars.npm:postcss is a PostCSS is a tool for transforming styles with JS plugins. Affected versions of this package are vulnerable to Cross-site Scripting XSS in CSS Stringify Output. An attacker can execute arbitrary JavaScript code in the context of the affected web page by...

CVE-2026-35046

CVE-2026-35046 affects Tandoor Recipes prior to version 2.6.4. Authenticated users can inject arbitrary tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists , allowing the backend to persist and serve unsanitized CSS payloads via the API. Clients rendering instr...

CVE-2026-33991 WeGIA has SQL Injection in deletar_tag.php

WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file html/socio/sistema/deletartag.php uses extract$REQUEST on line 14 and directly concatenates the $idtag variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches t...

CVE-2026-33548 MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline

Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline myviewpage.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has...

CVE-2026-33499 AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the view/forbiddenPage.php and view/warningPage.php templates reflect the $REQUEST'unlockPassword' parameter directly into an HTML tag's attributes without any output encoding or sanitization. An attacker can craf...

CVE-2026-30830

Summary of technical details (Defuddle CVE-2026-30830): The vulnerability arises in the findContentBySchemaText path of Defuddle (src/defuddle.ts) where image src and alt attributes are interpolated into HTML via a string template without escaping. If the image’s alt attribute contains a quotatio...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the improper sanitization of HTML anchor tags in the comment and issue description functionality. An attacker can execute arbitrary JavaScript in the context of another user by injecting malicious links...

PT-2026-7317

Name of the Vulnerable Software and Affected Versions Docmost versions prior to 0.25.0 Description Docmost is collaborative wiki and documentation software. The public share page functionality does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This...

WordPress Happy Addons for Elementor plugin <= 3.10.4 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via title_tag vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting via titletag vulnerability discovered by wesley wcraft in WordPress Plugin Happy Addons for Elementor versions = 3.10.4...

CVE-2025-64633 WordPress Norebro Extra plugin <= 1.6.8 - Content Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in colabrio Norebro Extra norebro-extra allows Code Injection.This issue affects Norebro Extra: from n/a through = 1.6.8...

CVE-2024-32643 Masa CMS vulnerable to authentication bypass with /tag/

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6...

Apache SkyWalking has a stored XSS vulnerability

There is an Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in Apache SkyWalking. This issue affects Apache SkyWalking versions = 10.2.0. Users are recommended to upgrade to version 10.3.0, which fixes the issue. Version 10.3.0 has not been uploaded to th...

CVE-2025-54057

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in Apache SkyWalking. This issue affects Apache SkyWalking: = 10.2.0. Users are recommended to upgrade to version 10.3.0, which fixes the issue...

thunderbird: firefox: An OBJECT tag type attribute overrode browser behavior on web resources without a content-type

A flaw was found in Thunderbird and Firefox. The Mozilla Foundation's Security Advisory describes the following issue: A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This...

EUVD-2018-2622

Malware in sbrugna...

EUVD-2017-2445

Malware in sbrugna...