CVE-2026-38432

ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting XSS in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied...

CVE-2026-26009

Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any user with template.create or...

CVE-2026-26009

Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any user with template.create or...

CVE-2026-26009 Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution

Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any user with template.create or...

CVE-2026-26009

CVE-2026-26009 affects the Catalyst platform used for enterprise game server hosting, game communities, and billing panel integrations. The issue arises because install scripts defined in server templates run on the host OS via bash -c without sandboxing or containerization. Any user with templat...

PT-2026-7439

Name of the Vulnerable Software and Affected Versions Catalyst versions prior to 11980aaf3f46315b02777f325ba02c56b110165d Description The platform allows users with template.create or template.update permissions to define arbitrary shell commands within server templates. These commands are execut...

PT-2026-3875

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.12.2, 0.13.2, 0.14.1, and 0.15.0 @backstage/plugin-scaffolder-backend versions prior to 2.2.2, 3.0.2, and 3.1.1 @backstage/plugin-scaffolder-node versions prior to 0.11.2 and 0.12.3 Description The software is...

PT-2025-51258

Name of the Vulnerable Software and Affected Versions Frappe ERPNext versions through 15.89.0 Description A Server-Side Template Injection SSTI issue exists in the get address display method. This function uses frappe.render template with a context from the address dict parameter, which can be a...

PT-2025-24526 · Sprig +1 · Sprig +1

Name of the Vulnerable Software and Affected Versions: Listmonk versions 4.0.0 through 5.0.2 Description: Listmonk is a standalone, self-hosted, newsletter and mailing list manager. The env and expandenv template functions, enabled by default in Sprig, allow capturing of environment variables on...

CVE-2022-43720

CVE-2022-43720 affects Apache Superset (notified in multiple sources). An authenticated attacker with write permissions on CSS templates can create a record containing specific HTML tags that are not properly escaped by the toast message shown when deleting that CSS template, enabling HTML/Script...