CVE-2026-42658

The CVE-2026-42658 entry concerns the WordPress Classified Listing plugin, affected versions

BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting

BIBLIOsoft BIBLIOpac 2008 contains a cross-site scripting vulnerability via the db or action parameter to bin/wxis.exe/bibliopac/, which allows a remote attacker to inject arbitrary web script or HTML. id: CVE-2018-16139 info: name: BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting author:...

Site Reviews < 7.2.5 - Unauthenticated Stored XSS

Site Reviews WordPress plugin before 7.2.5 contains a stored cross-site scripting caused by improper sanitization and escaping of review fields, letting unauthenticated users execute malicious scripts, exploit requires no authentication. id: CVE-2025-1232 info: name: Site Reviews 7.2.5 -...

JustRows WordPress - Cross-Site Scripting

JustRows free WordPress plugin v0.2 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

GHSA-W22M-HVVM-XMWX Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization

Summary A potential Cross-Site Scripting XSS vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG method. Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when...

Important: docker

Issue Overview: Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. CVE-2026-25680 Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt ...

Amazon Linux 2023 : docker (ALAS2023-2026-1835)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1835 advisory. Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. CVE-2026-25680 Parsing arbitrary HTML which is then rendered using Render can result in an...

Security update for roundcubemail (moderate)

openSUSE Security Update: Security update for roundcubemail Announcement ID: openSUSE-SU-2024:0328-1 Rating: moderate References: 1228900 1228901 Cross-References: CVE-2024-42008 CVE-2024-42009 CVE-2024-42010 Affected Products: openSUSE Backports SLE-15-SP6 An update that fixes three...

CVE-2026-45560

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrapline app/modules/common/common.py:181-186 and highlightword app/modules/common/common.py:188-192 build raw HTML by string concatenation with no escaping. The frontend...

CVE-2026-36728

A markdown based cross-site scripting XSS vulnerability in the AI assistant chat function of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a chat message...

CVE-2026-25688

Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are...

Palo Alto Networks PAN-OS 11.1.x < 11.1.14 / 11.2.x < 11.2.11 / 12.1.x < 12.1.5 Vulnerability

The version of Palo Alto Networks PAN-OS running on the remote host is 11.1.x prior to 11.1.14, 11.2.x prior to 11.2.11, or 12.1.x prior to 12.1.5. It is, therefore, affected by a vulnerability. A cross-site scripting XSS vulnerability in Palo Alto Networks PAN-OS software enables a malicious...

EUVD-2026-35717

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser...

CVE-2026-41846

Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting XSS vulnerability. Affected versions: Spring Framework 7.0.0 through...

CVE-2026-44757 Cross-Site Scripting (XSS) vulnerability in SAP Wily Introscope Enterprise Manager

SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the user�s browser within the context of the application. This issue has a low impact on the...

CVE-2026-47344

TYPO3 HTML Sanitizer (typo3/html-sanitizer) vulnerability CVE-2026-47344 affects versions before 2.3.2. When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., ) are not recognized by the sanitizer but browsers accept them as valid end tags, allowing subsequent content to ...

PT-2026-47448

Name of the Vulnerable Software and Affected Versions typo3/html-sanitizer versions prior to 2.3.2 Description When the ALLOW INSECURE RAW TEXT setting is enabled, the sanitizer fails to recognize closing tags containing whitespace variants, such as . Because browsers interpret these as valid end...

Amazon Linux 2023 : ecs-init (ALAS2023-2026-1771)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1771 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...

CVE-2026-36766

Multiple authenticated cross-site scripting XSS vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream or getReader functions...

SUSE CVE-2026-33245

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components RSC APIs, there is a potential client-side Cross-Site Scripting XSS vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not...