Regular Expression Denial of Service (ReDoS)

Overview js-video-url-parser is an A parser to extract provider, video id, starttime and others from YouTube, Vimeo, ... urls Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the getTime function in lib/util.js. An attacker can cause excessive...

EUVD-2026-21236

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit ha...

@1eg/theme-editor-cli (>=0.13.0 <=1.17.0), @aicontextlab/cli (>=0.0.0-dev <=0.2.2) +308 more potentially affected by CVE-2026-5986 via js-video-url-parser (>=0.2.8 <=0.5.1)

js-video-url-parser NPM version =0.2.8, =0.13.0, =0.0.0-dev, =0.2.5, =1.0.103, =0.12.77, =0.1.0, =0.1.136, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.10 and more Source cves: CVE-2026-5986 Source advisory: SNYK:JS-JSVIDEOURLPARSER-15995499...

@1eg/theme-editor-cli (>=0.13.0 <=1.17.0), @aicontextlab/cli (>=0.0.0-dev <=0.2.2) +308 more potentially affected by CVE-2026-5986 via js-video-url-parser (>=0.2.8 <=0.5.1)

js-video-url-parser NPM version =0.2.8, =0.13.0, =0.0.0-dev, =0.2.5, =1.0.103, =0.12.77, =0.1.0, =0.1.136, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.10 and more Source cves: CVE-2026-5986 Source advisory: OSV:GHSA-8FGX-WGVR-PCX8...

CVE-2026-26005 ClipBucket v5 enables internal network scans via an SSRF vulnerability

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SS...

PT-2026-7902

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SS...

Insertion of Sensitive Information into Log File

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the videourl parameter, which allows remote files to be fetched and processed. An attacker can...

CVE-2025-3098

The Video Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts ...

CVE-2025-3098

CVE-2025-3098 concerns the Video Url WordPress plugin. It is a Reflected Cross-Site Scripting flaw via the id parameter in all versions up to and including 1.0.0.3, caused by insufficient input sanitization and output escaping. The impact is that unauthenticated attackers could inject script into...

CVE-2025-3098 Video Url <= 1.0.0.3 - Reflected Cross-Site Scripting

The Video Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts ...

CVE-2025-3098 Video Url <= 1.0.0.3 - Reflected Cross-Site Scripting

The Video Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts ...

WordPress plugin Video Url 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in...

WordPress Video Url plugin <= 1.0.0.3 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin Video Url versions = 1.0.0.3...

Cross-site Scripting (XSS) - Stored in slackero/phpwcms

✍️ Description Stored xss 🕵️‍♂️ Proof of Concept Plz check this 1 minute video https://drive.google.com/file/d/1ycKDrN3ot623c-iYTaJYFNCjxCXChNx1/view?usp=sharing 💥 Impact xss bug...

Microsoft Windows MSHTA.EXE .HTA File XML Injection Vulnerability

Microsoft Windows MSHTA.EXE .HTA File XML Injection Vulnerability Vendor www.microsoft.com Product Windows MSHTA.EXE .HTA File An HTML Application HTA is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explore...

Microsoft Windows CONTACT - Remote Code Execution Exploit

Exploit for windows platform in category local exploits + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt + ISR: ApparitionSec...

A week in security (December 10 – 16)

Last week on Labs, we took a look at some new Mac malware, a collection of various scraped data dumps, the protection of power grids, and how bad actors are using SMB vulnerabilities. Other cybersecurity news Millions affected by Facebook photo API bug: An issue granted third-party apps more acce...

Steamed Hams

but it's a Metasploit Module This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Steamed Hams', 'Description' = "but it's a Metasploit Module", 'License' = MSFLICENSE, 'Author' = 'bcook-r7' ,...

Adobe: Parameter tampering can result in product price manipulation

Parameters set during the shopping cart checkout workflow are vulnerable to tampering. By intercepting POST requests and manipulating the XML payload, product prices could be set to arbitrary values. P.O.C Video URL: https://youtu.be/3VMlV7jyzg...

wordpress -- multiple vulnerabilities

WordPress versions 4.7.2 and earlier are affected by six security issues. Cross-site scripting XSS via media file metadata. Control characters can trick redirect URL validation. Unintended files can be deleted by administrators using the plugin deletion functionality. Cross-site scripting XSS via...