CVE-2026-40302

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the...

CVE-2026-35086 Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email services

Improper Control of Generation of Code 'Code Injection' vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

CVE-2026-40302

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the...

EUVD-2026-20972

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform...

PT-2026-30429

A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function is safe ast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack m...

SUSE CVE-2026-26195

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2...

CVE-2026-26195

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2...

EUVD-2026-9853

Gogs: Stored XSS in branch and wiki views through author and committer names...

CVE-2026-26195

Gogs prior to v0.14.2 is affected by a stored XSS due to unsafe template rendering that mixes user input with a permissive sanitizer for data URLs. The issue enables stored cross-site scripting via data URLs and has been patched in v0.14.2. CVSS v4.0 base metrics indicate a MEDIUM severity (6.9) ...

PT-2026-23486

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2 Description Gogs, a self-hosted Git service, contains a stored cross-site scripting XSS issue due to unsafe template rendering. The issue arises from mixing user input with permissive sanitizer handling of data UR...

CVE-2026-2452

The CVE-2026-2452 issue affects pretix email templates where placeholders are used to inject data. A security bug allowed exfiltration of sensitive information from the system configuration via specially crafted placeholder names (for example {{event.init .code .co_filename}}), enabling an attack...

RHEL 7 : ansible (RHSA-2019:3789)

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2019:3789 advisory. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH a...

RHEL 7 : ansible (RHSA-2019:3744)

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2019:3744 advisory. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH a...

alf.io 代码注入漏洞

alf.io is open source ticket reservation system. A security vulnerability exists in versions prior to alf.io 2.0-M4-2304, which stems from an unsatisfactory neutralization of a special element used in the Engine template...

CVE-2022-25303

The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting XSS via the query string parameter q. In the case where it does not contain the http string, it is used to build the errormessage that is then rendered in the error.html template, using the flask.rendertemplate functio...

UBUNTU-CVE-2019-20920

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars...

UBUNTU-CVE-2020-8865

This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the paramstemplate parameter, the process doe...

ansible: unsafe template evaluation of returned module data can lead to information disclosure

A flaw was discovered in the way Ansible templating was implemented, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed...

ansible: unsafe template evaluation of returned module data can lead to information disclosure

A flaw was discovered in the way Ansible templating was implemented, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed...

RHEL 7 : ansible (RHSA-2019:1705)

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2019:1705 advisory. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does n...