GHSA-RCP6-88MM-9VGF Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html`

If an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would...

CVE-2026-0534

A maliciously crafted HTML payload, stored in a part’s attribute and clicked by a user, can trigger a Stored Cross-site Scripting XSS vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the...

CVE-2021-22337

There is an Information Disclosure vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause leaking of user click data...

PT-2025-47790

This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification toast appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI like a fake address bar...

CVE-2025-54196

Adobe Connect versions 12.9 and earlier are affected by a URL Redirection to Untrusted Site 'Open Redirect' vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction in that a victim must click on a...

CVE-2025-61929

Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called cherrystudio://. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files...

EUVD-2025-33778

Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called cherrystudio://. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files...

EUVD-2021-9483

Malicious code in bioql PyPI...

CVE-2024-46886

The web server of affected devices does not properly validate input that is used for a user redirection. This could allow an attacker to make the server redirect the legitimate user to an attacker-chosen URL. For a successful exploit, the legitimate user must actively click on an attacker-crafted...

Microsoft Dynamics 365 Cross-site Scripting Vulnerability

An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link...

CVE-2023-37539

The Domino Catalog template is susceptible to a Stored Cross-Site Scripting XSS vulnerability. An attacker with the ability to edit documents in the catalog application/database created from this template can embed a cross site scripting attack. The attack would be activated by an end user clicki...

CVE-2023-6211

If an attacker needed a user to load an insecure http: page and knew that user had enabled HTTPS-only mode, the attacker could have tricked the user into clicking to grant an HTTPS-only exception if they could get the user to participate in a clicking game. This vulnerability affects Firefox 120...

China Mobile OA Mailbox PC 安全漏洞

China Mobile OA Mailbox PC is a mailbox related application from China Mobile China. A security vulnerability exists in China Mobile OA Mailbox PC version v2.9.23, which can be exploited by an attacker to send a crafted EML file to a user's OA mailbox, and when the user clicks on the interaction,...

Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI

The Mozilla Foundation Security Advisory describes this flaw as: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link...

Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI

The Mozilla Foundation Security Advisory describes this flaw as: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link...

CVE-2022-23137

ZTE's ZXCDN product has a reflective XSS vulnerability. The attacker could modify the parameters in the content clearing request url, and when a user clicks the url, an XSS attack will be triggered...

Mozilla Firefox Security Advisory (MFSA2016-06) - Linux

This host is missing a security update for Mozilla Firefox. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; y...

Slack: [Android] Directory traversal leading to disclosure of auth tokens

Files uploaded to and opened in Slack with specially-crafted names could cause the Android operating system to overwrite configuration files on customer devices, potentially exposing Slack data to attacker-controlled websites. In order to take advantage of this vulnerability, attackers needed to ...

CVE-2021-22337

There is an Information Disclosure vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause leaking of user click data...

CVE-2021-22337

There is an Information Disclosure vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause leaking of user click data...