14240 matches found
CVE-2026-50704
A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer...
CVE-2026-50700
A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.getavatar function...
Astra Linux – Vulnerability in Python 3.11
The poplib module, when a user-controlled command is passed to it, can have additional commands injected using newlines. Mitigation rejects commands that contain control characters...
CVE-2026-55736
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant t...
EUVD-2026-38570
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant t...
CVE-2026-55736
CVE-2026-55736 (Ash project) : A logic flaw in Ash allows end-user input to set private action arguments intended to be server-controlled. In non-atomic paths, private arguments are stripped only when the parameter key is an atom; if the key is a string, the private argument remains controllable ...
PT-2026-51644
Name of the Vulnerable Software and Affected Versions motionEye versions prior to 0.44.0 Description An absolute path traversal issue exists in multiple media file handlers within the media playback and download functionality. The affected handlers accept a user-controlled filename parameter and...
CVE-2026-50269
CVE-2026-50269 affects the AIOHTTP library (asyncio-based HTTP client/server). The issue is a CRLF/header injection vulnerability in multipart handling: attacker-controlled input passed to MultipartWriter.append(headers=...) or Payload.headers could allow modifying the outgoing request (injection...
Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: Staging: ks7010 – potential buffer overflow in kswlansetencodeext. “exc-keylen” is a u16 value provided by the user. If this value exceeds IWENCODINGTOKENMAX 64, it could lead to memory corruption...
Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: video: fbdev: s3fb: Check the size of the screen before memsetio In the function s3fbsetpar, the value of ‘screensize’ is calculated based on user input. If the user provides an incorrect value, the value of ‘screensize’ may be...
Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: net: mvneta: Prevention of out-of-bounds read in mvnetaconfigrss The value of pp-indir0 comes from the user. It is passed to the function mvnetapercpuelect. Inside this function, there is a check to ensure that the value does not...
Astra Linux – Vulnerability in Twig
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates whose names are user-inputs. It’s possible to use the source or include statement to read arbitrary files from outside the...
CVE-2026-12644
Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...
PT-2026-50839
Name of the Vulnerable Software and Affected Versions ts-deepmerge versions prior to 8.0.0 Description An uncaught exception occurs due to improper handling of built-in Object.prototype methods, such as toString and valueOf. When user-controlled input contains these keys with non-function values,...
CVE-2026-54221
UBB.threads is affected by a Reflected XSS vulnerability (CVE-2026-54221). The issue is confirmed in version 7.7.5 and may affect other versions. The vulnerability allows an attacker to execute arbitrary JavaScript in a victim’s browser when the user clicks a crafted link, with user interaction r...
EUVD-2026-37857
In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...
EUVD-2025-210215
In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote proximal/adjacent escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
GHSA-M6QW-4CW2-HM4M aiohttp: CRLF injection in multipart headers
Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. Impact In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.appendheaders=... or Payload.headers, the...
Cross-site Scripting (XSS)
Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of namespaced elements and attributes during template compilation and sanitization. An attacker can execute arbitrary JavaScript in the user's browser by injecting specially crafted templat...