56 matches found
jastow: Jastow Cross-Site Scripting attack due to unsanitized URI
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting XSS attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling...
jastow: Jastow Cross-Site Scripting attack due to unsanitized URI
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting XSS attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling...
CVE-2025-12799
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting XSS attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling. Mitigation It is possible to contruct...
PT-2026-56203
Name of the Vulnerable Software and Affected Versions Jastow affected versions not specified Description Jastow is susceptible to Cross-Site Scripting XSS, a flaw where malicious scripts are injected into trusted websites. This occurs due to improper input handling of unsanitized URIs when a...
PYSEC-2026-659 mailman Cross-site scripting (XSS) vulnerability
Cross-site scripting XSS vulnerability in the driver script in mailman before 2.1.5 allows remote attackers to inject arbitrary web script or HTML via a URL, which is not properly escaped in the resulting error page...
GO-2026-5436 Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin in github.com/julien040/anyquery/plugins/brave
Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin in github.com/julien040/anyquery/plugins/brave...
CVE-2026-42846 ClipBucket: Remote Play URL Command Injection
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - 140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly...
PT-2026-48790
Name of the Vulnerable Software and Affected Versions ClipBucket versions prior to 5.5.3 Description The Remote Play feature in ClipBucket v5 allows authenticated users to import external URLs as video sources. The application concatenates these URLs directly into shell commands without proper...
CVE-2026-48927
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views...
PT-2026-44020
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views...
GHSA-XW67-CG5F-4M2R AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
Summary Type: Classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling escapeshellarg. A ' in any of the three interpolated values $usersid, $m3u8,...
DEBIAN-CVE-2026-39823
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS...
CVE-2026-42524
Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...
CVE-2026-42524
CVE-2026-42524 : Jenkins HTML Publisher Plugin 427 and earlier is vulnerable to a stored XSS due to not escaping the job name and URL in the legacy wrapper file. This can be exploited by attackers with Item/Configure permission. The public descriptions identify the affected component and the root...
CVE-2026-33319 AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
WWBN AVideo is an open source video platform. Prior to version 26.0, the uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacke...
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
Summary The uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacker can influence the LinkedIn API response via MITM, compromis...
CVE-2026-21871
Summary: NiceGUI (Python UI framework) versions 2.13.0–3.4.1 are affected by a DOM-based XSS vulnerability in ui.navigate.history.push() and ui.navigate.history.replace(). If an attacker-supplied string is embedded into generated JavaScript without proper escaping, it can escape the string contex...
EUVD-2012-3457
Malware in sbrugna...
EUVD-2021-11705
Malware in sbrugna...
EUVD-2024-1028
Malicious code in bioql PyPI...