protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

Summary A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas fro...

GHSA-PR59-H9PH-3FR8 protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

Summary A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas fro...

PT-2026-49586

Summary A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas fro...

Code-Projects Home Service System 跨站脚本漏洞

The Code-Projects Home Service System is an open-source door-to-door service system developed by Code-Projects. Version 1.0 of the Code-Projects Home Service System contains a cross-site scripting vulnerability. This vulnerability stems from improper handling of parameters fname and lname in the...

CVE-2026-34728

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any...

CVE-2024-2356

The CVE-2024-2356 family affects parisneo/lollms-webui, with a Local File Inclusion (LFI) in the /reinstall_extension endpoint. The vulnerability targets the name parameter of the POST route, allowing an attacker to inject a malicious value that causes the server to load and execute arbitrary Pyt...

CVE-2022-29049

Jenkins promoted builds Plugin 873.v6149dbd64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name...

Simple Chat System 代码注入漏洞

Chat System is a chat system. Chat System suffers from a cross-site scripting vulnerability that stems from the lack of sufficient validation and escaping of the name parameter input in the /admin/updateroom.php file. The vulnerability can be exploited to perform cross-site scripting attacks by...

CVE-2024-4320

A remote code execution RCE vulnerability exists in the '/installextension' endpoint of the parisneo/lollms-webui application, specifically within the @router.post"/installextension" route handler. The vulnerability arises due to improper handling of the name parameter in the...

CVE-2022-29049

Jenkins promoted builds Plugin 873.v6149dbd64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name...