CVE-2026-48301

Affected product. Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier. Vulnerability. Stored Cross-Site Scripting (XSS) in vulnerable form fields. Impact. A low-privileged attacker can inject malicious scripts, leading to JavaScript execution in a victim’s browser when visiting...

CVE-2026-48264

Affected product: Adobe Experience Manager (AEM) 6.5.24, LTS SP1, 2026.04 and earlier. Vulnerability: DOM-based Cross-Site Scripting (XSS) via manipulation of the DOM environment to run malicious JavaScript in the victim’s browser. Exploit conditions: Requires user interaction; victim must visit ...

CVE-2026-34692

CVE-2026-34692 affects Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier. The issue is a DOM-based Cross-Site Scripting (XSS) vulnerability caused by manipulating the DOM environment, allowing malicious JavaScript to run in the victim’s browser. Exploitation requires user int...

CVE-2026-47983

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based XSS vulnerability. The issue occurs when an attacker manipulates the DOM to execute malicious JavaScript in the victim’s browser, requiring user interaction (the victim visits a crafted page). No ex...

CVE-2026-48304

Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. A low-privileged attacker can abuse vulnerable form fields to inject malicious JavaScript, which may execute in a victim’s browser when visiting the page...

CVE-2026-47981

Affected software : Adobe Experience Manager 6.5.24, LTS SP1, 2026.04 and earlier. Vulnerability : Stored cross-site scripting (XSS) in vulnerable form fields. Root cause/impact : Low-privileged attacker can inject malicious scripts; victim’s browser executes JS when loading the page containing t...

CVE-2026-48300

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored XSS vulnerability that lets a low-privilege attacker inject malicious scripts into vulnerable form fields. Malicious JavaScript can execute in a victim’s browser when they visit a page containing the v...

CVE-2026-47944

Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. A low-privileged attacker can inject malicious scripts into vulnerable form fields, with malicious JavaScript executed in a victim’s browser when visitin...

CVE-2026-47953

Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. A low-privileged attacker could inject malicious scripts into vulnerable form fields, leading to JavaScript execution in a victim’s browser when loading ...

CVE-2026-47946

CVE-2026-47946 affects Adobe Experience Manager 6.5.24, LTS SP1, 2026.04 and earlier. It is a DOM-based XSS vulnerability caused by manipulating the DOM to execute malicious JavaScript in the victim’s browser. Exploitation requires user interaction— the victim must visit a crafted webpage. Scope ...

CVE-2026-47973

Technical details about CVE-2026-47973 are not publicly provided in the supplied documents; monitor for updates from Adobe and NVD for affected versions and remediation.

CVE-2026-47987

Adobe Experience Manager (AEM) prior to certain updates is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. Affected versions: AEM 6.5.24, LTS SP1, 2026.04 and earlier. The issue allows an attacker to manipulate the DOM to execute malicious JavaScript in the victim’s browser, req...

CVE-2026-47958

Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored XSS vulnerability. A low-privileged attacker can inject malicious scripts into vulnerable form fields, with malicious JavaScript executed in the victim’s browser when visiting the page containing...

CVE-2026-48265

This CVE affects Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier. It is a DOM-based Cross-Site Scripting (XSS) vulnerability where an attacker can cause malicious JavaScript to run in a victim’s browser by manipulating the DOM. Exploitation requires user interaction (the vi...

CVE-2026-48288

CVE-2026-48288 affects Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier. The issue is an Improper Input Validation vulnerability that can result in a security feature bypass . A low-privileged attacker could bypass security controls and gain unauthorized write access. ...

CVE-2026-48250

Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based XSS vulnerability. An attacker could manipulate the DOM to execute malicious JavaScript in the victim’s browser, with exploitation requiring user interaction (victim visits a crafted page). Th...

CVE-2026-48271

CVE-2026-48271 affects Adobe Experience Manager: versions 6.5.24, LTS SP1, 2026.04 and earlier. The vulnerability is a DOM-based Cross-Site Scripting (XSS) flaw caused by manipulation of the DOM environment, enabling malicious JavaScript execution in a victim’s browser. Exploitation requires user...

CVE-2026-47978

Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. A low-privileged attacker can abuse vulnerable form fields to inject malicious JavaScript, which may be executed in a victim’s browser when visiting page...

CVE-2026-47949

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored XSS vulnerability. The issue allows a low-privileged attacker to inject malicious scripts into vulnerable form fields, with malicious JavaScript executing in a victim’s browser when visiting the page c...

CVE-2026-48299

Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. A low-privileged attacker can inject malicious scripts into vulnerable form fields, causing JavaScript to execute in a victim’s browser when visiting the...

CVE-2026-48266

Adobe Experience Manager (AEM) versions affected: 6.5.24, LTS SP1, 2026.04 and earlier. Issue: DOM-based Cross-Site Scripting (XSS) caused by manipulating the DOM environment, allowing malicious JavaScript execution in the victim’s browser. Exploitation requires user interaction (victim must visi...

CVE-2026-49959

Hermes WebUI prior to 0.51.311 is affected by a remote code execution vulnerability. Authenticated attackers can trigger arbitrary commands by placing a malicious executable Git configuration in a workspace repo’s .git/config. The issue arises from Git subprocess invocations in api/workspace_git....

CVE-2026-49958

Hermes WebUI is affected by a TOCTOU race in git_discard (api/workspace_git.py) prior to version 0.51.303. An attacker can replace a validated path component with a symlink between safe_resolve_ws() and the subsequent Path.unlink() or shutil.rmtree() call, causing the delete operation to follow t...

CVE-2026-22926

Technical details about CVE-2026-22926 are not publicly available in the provided documents. No affected versions, root cause, or remediation are specified. Monitor for updates from Omnissa and CVE listings.

CVE-2026-49957

CVE-2026-49957 : Hermes WebUI prior to 0.51.269 contains a workspace boundary bypass. An authenticated attacker can exploit an early return in the SSH/remote terminal profile workspace resolution logic (in _remote_terminal_workspace_candidate()) by configuring a remote terminal working directory ...

CVE-2026-42599

CVE-2026-42599 affects Svelte SSR. Prior to version 5.55.7, using spread syntax to render attributes from untrusted data may include event handler properties in the rendered HTML, enabling attackers to inject malicious event handlers that run in victims’ browsers if JavaScript is enabled and hydr...

CVE-2026-42567

CVE-2026-42567 affects Svelte runtimes from 5.51.5 up to 5.55.6, where an internal regex used during svelte:element tag validation can cause exponential-time processing (ReDoS) on certain tag names. The issue is triggered during the validation of , leading to significant CPU usage and potential...

CVE-2026-42573

CVE-2026-42573 affects Svelte before version 5.55.7, where DOM clobbering of the internal framework state on elements could lead to XSS . The issue is patched in version 5.55.7 . The vulnerability relates to attribute spreading on a form element and the use of spread or dynamic name attributes on...

CVE-2026-42570

CVE-2026-42570 affects the Svelte devalue library. devalue.parse could allocate excessive memory when deserializing sparse arrays in versions 5.6.3 through 5.8.0, due to engine quirks. The issue is fixed in version 5.8.1. Affected references include GitHub advisories GHSA-77vg-94rm-hx3p and OSV e...

CVE-2026-24180

CVE-2026-24180 affects NVIDIA DALI. The bulletin and CVE list describe a heap-based buffer overflow in a DALI component that could enable code execution, data tampering, denial of service, and information disclosure. Affected versions are 0.0–2.0, with the security update addressing this issue in...

CVE-2026-24181

CVE-2026-24181 affects NVIDIA DALI. The issue is due to improper index validation in a component, enabling a local attacker with low privileges and user interaction to potentially cause code execution, data tampering, DoS, or information disclosure. NVIDIA’s security bulletin confirms the vulnera...

CVE-2026-49956

CVE-2026-49956 affects the Hermes WebUI prior to version 0.51.269. The root cause is a profile isolation bypass: an authenticated user can query the sessions search endpoint without active-profile filtering, exposing data from other profiles (session titles and transcript message content). This i...

CVE-2026-46492

md-fileserver önce 1.10.3 sürümünden önce HTML içeren Markdown içeriğini güvenli olmayan şekilde render ediyor; bu, kullanıcı tarafından sağlanan Markdown içeriğinde yer alan [removed] gibi ham HTML’nin sayfaya güvenliksız olarak enjekte edilmesine yol açıyor. Etkilenen bileşenler arasında Markdo...

CVE-2026-49848

FreeSWITCH CVE-2026-49848: In mod_verto, the pre-authentication check_auth path writes request-supplied userVariables into the connection state before password comparison. Writes are append-only and the connection isn’t closed on a failed compare, so values from bad-password attempts persist on t...

CVE-2026-49955

Hermes WebUI vulnerable before version 0.51.270 to resource exhaustion via the passkey/options endpoint. Unauthenticated remote attackers can degrade availability by repeatedly posting to the authentication endpoint, causing unbounded growth of the challenge store and high CPU/disk I/O due to rep...

CVE-2026-49847

CVE-2026-49847 affects FreeSWITCH prior to version 1.11.1, where a single unauthenticated WebSocket frame containing a deeply nested JSON document can trigger a stack overflow in the bundled cJSON parser. The recursion drives the worker thread’s stack into the guard page, causing a kernel SIGSEGV...

CVE-2026-49843

FreeSWITCH vulnerability CVE-2026-49843 affects mod_verto before version 1.11.1. The JSON-RPC handler binds the client-supplied sessid on the first frame prior to authentication, inserting the connection into the global session hash and evicting any prior occupant on key collision (sending verto....

CVE-2026-45446

CVE-2026-45446 concerns OpenSSL implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452). The root cause is that the expected authentication tag is computed only when the decryption function processes non-empty data; if a caller provides AAD and then invokes DecryptFinal without any ciphe...

CVE-2026-45447

CVE-2026-45447 is a heap use-after-free in OpenSSL PKCS7_verify triggered when SignedData digestAlgorithms is an empty ASN.1 SET, risking process crashes, heap corruption, or remote code execution. It affects applications processing PKCS#7/S/MIME with OpenSSL PKCS#7 APIs (CMS APIs are not affecte...

CVE-2026-45445

CVE-2026-45445 describes a vulnerability in AES-OCB when using OpenSSL EVP_Cipher() in one-shot mode: the application-supplied IV is ignored, causing every encrypted message under the same key to use the same effective nonce. This leads to key/nonce reuse and potential confidentiality loss, and, ...

CVE-2026-42771

CVE-2026-42771 describes a vulnerability in OpenSSL where an internal helper used by X509_VERIFY_PARAM_set1_email/set2_email validates the local part of an email addresses and may not enforce the 64-octet limit, causing an out-of-bounds read. This can lead to a crash (DoS) when an application pro...

CVE-2026-42770

CVE-2026-42770 affects OpenSSL FIPS modules (4.0, 3.6, 3.5, 3.4, 3.0) and related deployments using EVP_PKEY_derive_set_peer() with DHX/X9.42 keys. The vulnerability arises when the subgroup check Y^q ≡ 1 (mod p) uses the peer’s q instead of the local key’s q, allowing a malicious X9.42 peer to c...

CVE-2026-42769

Summary: CVE-2026-42769 arises from an error in the CMP Root CA key rollover verification in OpenSSL. A typo in the certificate chain building code caused the verifier to add the wrong certificate ("newWithOld" instead of the intended "oldRoot") to the chain, rendering the verification ineffectiv...

CVE-2026-42768

The CVE-2026-42768 issue concerns Bleichenbacher-style side-channel attacks against CMS_decrypt() and PKCS7_decrypt() in OpenSSL. The vulnerability arises when processing CMS or S/MIME messages with multiple RecipientInfo entries (KTRI). In variant 1, decryption is attempted without a recipient c...

CVE-2026-42767

The CVE-2026-42767 issue affects the OpenSSL CMP client: processing a CRMF CertRepMessage with EncryptedValue where symmAlg has an OID but no parameters can trigger a NULL pointer dereference, crashing the CMP client and enabling DoS. The vulnerability is due to improper handling during CMP respo...

CVE-2026-42766

The CVE-2026-42766 entry documents a NULL pointer dereference in OpenSSL’s CMS decryption for password-based CMS messages. Specifically, PasswordRecipientInfo.keyDerivationAlgorithm is OPTIONAL and may be absent; OpenSSL’s CMS decryption dereferences this field without checking, triggering an app...

CVE-2026-42764

In OpenSSL’s QUIC server implementation, receiving a QUIC initial packet with an invalid or expired token can trigger a NULL pointer dereference, potentially crashing the server and causing a Denial of Service. The issue occurs when address validation is disabled, specifically when SSL_LISTENER_F...

CVE-2026-42765

CVE-2026-42765 describes a NULL dereference in certificate verification when OCSP response checking is enabled together with partial-chain verification. The issue triggers a crash (Denial of Service) if the verified chain lacks a self-signed trusted anchor, because for the last certificate the is...

CVE-2026-35188

CVE-2026-35188 describes a vulnerability in TLS OCSP stapling where a crafted stapled response delivered via the status_request extension can trigger a double-free in the TLS client’s certificate verification path. Impact: potential heap corruption, with the practical consequence of Denial of Ser...

CVE-2026-34183

CVE-2026-34183 affects the OpenSSL QUIC stack’s PATH_CHALLENGE handling. A remote attacker can flood a QUIC client or server with PATH_CHALLENGE frames, causing unbounded heap allocations and potentially Denial of Service. For every PATH_CHALLENGE, the local QUIC stack allocates a PATH_RESPONSE f...