PT-2026-2941

Name of the Vulnerable Software and Affected Versions Drupal Flag versions 7.X-3.0 through 7.X-3.9 Description A flaw exists in Drupal Flag that allows for Cross-Site Scripting XSS. This issue is due to improper neutralization of input during web page generation. An attacker could potentially...

CVE-2023-54329

Inbit Messenger 4.6.0–4.9.0 is affected by an unauthenticated remote command execution via a stack overflow in the messenger’s protocol. The vulnerability allows attackers to send specially crafted XML packets to TCP port 10883 to trigger execution of arbitrary commands with system privileges. Th...

afipcaeqrdecode (=0.0.15), afw (>=0.0.6 <=0.0.21) +209 more potentially affected by CVE-2026-23949 via jaraco-context (>=5.3.0 <=6.0.2)

jaraco-context PYPI version =5.3.0, =0.0.6, =0.1.0, =0.1.23, =0.0.1, =0.9.5, =1.0.5, =0.1.6, =0.1.0, =0.0.2, =0.1.2, =1.0.1, =1.0.1.9 - azvaultcopy =1.0.0b1 and more Source cves: CVE-2026-23949 Source advisory: OSV:GHSA-58PV-8J8X-9VJ2...

CVE-2025-62182 Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.

Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file...

EUVD-2026-2234

Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file...

Cal.com 安全漏洞

Cal.com is an open source scheduling software from Cal.com Open Source. A security vulnerability exists in Cal.com versions 3.1.6 through prior to 6.0.7, which stems from a flaw in the custom NextAuth JWT callback that could allow an attacker to gain full authentication access to any user account...

PT-2026-2491

Name of the Vulnerable Software and Affected Versions OpenC3 COSMOS versions 5.0.0 through 6.10.1 Description OpenC3 COSMOS provides functionality to send commands to and receive data from embedded systems. Versions 5.0.0 through 6.10.1 contain a remote code execution issue reachable through the...

3m (>=0.1.0 <=0.1.3), aap-llamaindex (>=0.1.1.dev1 <=0.2.0) +347 more potentially affected by CVE-2024-58339 via llama-index (>=0.10.0 <=0.9.48)

llama-index PYPI version =0.10.0, =0.1.0, =0.1.1.dev1, =0.1.8, =0.0.2, =1.4.3, =0.1.0a0.dev0, =0.2.0a0, =0.1.0, =0.1.0a1, =0.0.1, =1.1.0, =3.0.0, =3.1.14 and more Source cves: CVE-2024-58339 Source advisory: SNYK:PYTHON-LLAMAINDEX-14917160...

Termix 安全漏洞

Termix is a server management platform for Karmaa individual developers. A security vulnerability exists in Termix versions 1.7.0 through 1.9.0, which stems from a file manager component that does not clean up the contents of SVG files before rendering them, which could lead to a stored cross-sit...

com.amazonaws.serverless:aws-serverless-java-container-struts (=1.9), com.jgeppert.struts2.bootstrap:struts2-bootstrap-plugin (=5.0.0) +52 more potentially affected by CVE-2025-68493 via org.apache.struts:struts2-core (>=6.0.0 <=6.10.0)

org.apache.struts:struts2-core MAVEN version =6.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =1.4.0, =1.4.1, =1.4.0, =1.4.2 and more Source cves: CVE-2025-68493 Source advisory: OSV:GHSA-QCFC-HMRC-59X7https://vulners.c...

CVE-2026-22704 haxcms-php 11.0.6 Stored XSS Leading to Account Takeover

HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0...

CVE-2026-21894

n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stri...

CVE-2025-46644

Dell PowerProtect Data Domain with Data Domain Operating System DD OS of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization...

CVE-2023-25195

Server-Side Request Forgery SSRF vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic. This issue affects Apache Fineract: from 1.4 through 1.8.3...

CVE-2023-49108

Path traversal vulnerability exists in RakRak Document Plus Ver.3.2.0.0 to Ver.6.4.0.7 excluding Ver.6.1.1.3a. If this vulnerability is exploited, arbitrary files on the server may be obtained or deleted by a user of the product with specific privileges...

CVE-2023-4658

An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted t...

CVE-2021-22916

In Brave Desktop between versions 1.17 and 1.26.60, when adblocking is enabled and a proxy browser extension is installed, the CNAME adblocking feature issues DNS requests that used the system DNS settings instead of the extension's proxy settings, resulting in possible information disclosure...

CVE-2025-13704 Autogen Headers Menu <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'head_class' Shortcode Parameter

The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headclass' parameter of the 'autogenmenu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-23876

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in No-Nonsense WP krpano wp-krpano allows Stored XSS.This issue affects WP krpano: from n/a through = 1.2.1...

CVE-2025-40834

A vulnerability has been identified in Mendix RichText All versions = V4.0.0 V4.6.1. Affected widget does not properly neutralize the input. This could allow an attacker to execute cross-site scripting attacks...