EUVD-2026-34469

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. Chromium security severity: Medium...

CVE-2026-11169

CVE-2026-11169 concerns an improper XML handling in Google Chrome before version 149.0.7827.53 . The flaw is an incorrect implementation in Chrome’s XML processing, enabling a remote attacker to perform a UXSS-style attack by delivering a crafted XML file that injects arbitrary scripts or HTML. T...

CVE-2026-11035

This CVE concerns Google Chrome on Android via a flawed implementation in Custom Tabs. Prior to version 149.0.7827.53, an attacker could achieve local privilege escalation by supplying a crafted XML file. Affected component: Custom Tabs in Chrome for Android; root cause: inappropriate/incorrect i...

Microweber <1.2.12 - Stored Cross-Site Scripting

Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. id: CVE-2022-0963 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microweber prior to 1.2.12 contains a stored...

Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass

Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x are vulnerable to authentication bypass. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the...

CVE-2026-37428

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information PII...

CVE-2026-31248

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

Astra Linux - уязвимость в pyxdg

A code injection issue was discovered in PyXDG before version 0.26, through crafted Python code within a Category element of a Menu XML document in a .menu file. The XDGCONFIGDIRS setting must be configured to trigger the xdg.Menu.parse parsing within the directory containing this file. This issu...

FacturaScripts 2025.43 - XSS

Exploit Title: FacturaScripts 2025.43 - XSS Date: 30-12-2025 Exploit Author: VETTRIVEL U Author Profile: https://www.linkedin.com/in/vettrivel2006 Vendor Homepage: https://facturascripts.com/ Software Link: https://github.com/NeoRazorX/facturascripts Affected Versions: = 2025.4, = 2025.11, =...

SUSE-SU-2026:1598-1 Security update for ImageMagick

This update for ImageMagick fixes the following issues: - CVE-2026-33899: Denial of Service via out-of-bounds write in XML parsing bsc1262154. - CVE-2026-33900: Denial of Service via integer truncation in viff encoder bsc1262156. - CVE-2026-33901: Denial of Service due to heap buffer overflow in...

perl-xml-parser: XML::Parser: Memory corruption via deeply nested XML files

A flaw was found in XML::Parser, a Perl module for parsing XML. This vulnerability, an off-by-one heap buffer overflow, occurs when processing an XML file with very deep element nesting. A remote attacker could exploit this by providing a specially crafted XML file, potentially leading to memory...

CVE-2026-33899

A flaw was found in ImageMagick. When processing a specially crafted XML file, a remote attacker could exploit an out-of-bounds write vulnerability. This could lead to a denial of service, making the affected program unavailable. Mitigation Mitigation for this issue is either not available or the...

Huawei EulerOS: Security Advisory for libvirt (EulerOS-SA-2026-1527)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2026-3408

A vulnerability was identified in Open Babel up to 3.1.1. This impacts the function OBAtom::GetExplicitValence of the file isrc/atom.cpp of the component CDXML File Handler. Such manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit is publicly available...

CVE-2026-24815 A XStream Security Vulnerability in XML Deserialization in datavane/tis

Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules. This vulnerability is associated with program files XmlFile.Java. This issue affects tis: before v4.3.0...

TIS security vulnerabilities

TIS is an agile code development platform open source by Datavane. Versions of TIS prior to v4.3.0 contained security vulnerabilities. These vulnerabilities stemmed from the program file XmlFile.Java, which allowed unlimited uploading of dangerous type files and untrusted data deserialization...

CVE-2026-0684 CP Image Store with Slideshow <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import

The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpisadmininit' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2023-49654

Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system...

CVE-2024-41881

SDoP versions prior to 1.11 fails to handle appropriately some parameters inside the input data, resulting in a stack-based buffer overflow vulnerability. When a user of the affected product is tricked to process a specially crafted XML file, arbitrary code may be executed on the user's environme...

CVE-2023-49280

XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it's possible for an attacker to obtain...