CVE-2026-56424

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could...

EUVD-2026-38227

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could...

PT-2026-41844

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with...

CVE-2026-5559

AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha is affected by a vulnerability in sandbox.py:_is_safe_ast within the AST Validation component. The flaw enables improper neutralization of special elements in the template engine, with remote-exploitation potential. Exploit has been disclosed publicl...

CVE-2026-2969

A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected is the function ChatPromptTemplate of the file datapizza-ai-core/datapizza/modules/prompt/prompt.py of the component Jinja2 Template Handler. This manipulation of the argument Prompt causes improper neutralization of special...

CVE-2026-2969 datapizza-labs datapizza-ai Jinja2 Template prompt.py ChatPromptTemplate special elements used in a template engine

A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected is the function ChatPromptTemplate of the file datapizza-ai-core/datapizza/modules/prompt/prompt.py of the component Jinja2 Template Handler. This manipulation of the argument Prompt causes improper neutralization of special...

CVE-2026-2969

CVE-2026-2969 affects datapizza-labs datapizza-ai 0.0.2, specifically the Jinja2 Template Handler’s ChatPromptTemplate in datapizza-ai-core/datapizza/modules/prompt/prompt.py. The vulnerability arises from manipulation of the Prompt argument that leads to improper neutralization of special elemen...

CVE-2026-1943 YayMail <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements

The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop...

CVE-2026-1943

CVE-2026-1943 concerns the WordPress plugin YayMail – WooCommerce Email Customizer (versions

WordPress YayMail plugin <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements vulnerability

Authenticated Shop Manager+ Stored Cross-Site Scripting via Template Elements vulnerability discovered by whizzu in WordPress Plugin YayMail – WooCommerce Email Customizer versions = 4.3.2...

CVE-2025-14731 CTCMS Content Management System Frontend/Template Management CT_Parser.php special elements used in a template engine

A weakness has been identified in CTCMS Content Management System up to 2.1.2. This affects an unknown function in the library /ctcms/apps/libraries/CTParser.php of the component Frontend/Template Management Module. This manipulation causes improper neutralization of special elements used in a...

EUVD-2025-25105

Malicious code in bioql PyPI...

The vulnerability of the module that summarizes the Workflow framework for scanning vulnerabilities in Osmedeus, allowing attackers to perform cross-site scripting attacks

The vulnerability of the Workflow framework’s module summary component is related to the failure to remove specific elements from web pages when generating reports based on the general-template.md template. Exploiting this vulnerability allows a remote attacker to perform cross-site scripting...

The vulnerability of the ssvpn_config_mod function in the /vpn/list_vpn_web_custom.php web interface of the Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 router integrated software allows a malicious actor to execute arbitrary commands.

The vulnerability of the ssvpnconfigmod function in the /vpn/listvpnwebcustom.php web interface of the Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 router integrated software is related to the failure to eliminate special elements used in the command when processing parameters template and...

SUSE CVE-2013-1720

The nsHtml5TreeBuilder::resetTheInsertionMode function in the HTML5 Tree Builder in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 does not properly maintain the state of the insertion-mode stack for template elements, which allows remote attackers to execute...

CVE-2018-17847

The html package aka x/net/html through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" index out of range in nodeStack.pop in node.go, called from parser.clearActiveFormattingElements, during an html.Parse call...

CVE-2013-1720

The nsHtml5TreeBuilder::resetTheInsertionMode function in the HTML5 Tree Builder in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 does not properly maintain the state of the insertion-mode stack for template elements, which allows remote attackers to execute...