A vulnerability was found in code-projects Public Chat Room 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Null pointer dereference in Firefox and Thunderbird JavaScript engines allows remote attackers to cause denial of service via malformed closed generator objects. The vulnerability affects Firefox versions below 141, Firefox ESR versions below 115.26/128.13/140.1, Thunderbird versions below 141/128.13/140.1, and is triggered when a user visits a malicious webpage or opens a crafted email containing JavaScript that improperly resumes a closed generator. While the CVSS score is 6.5 (medium-high), the impact is limited to availability-no information disclosure or code execution is possible.
Information disclosure in Mozilla Firefox and Thunderbird on 64-bit platforms allows remote attackers to leak sensitive memory contents via specially crafted web content. The IonMonkey JIT compiler writes only 32 bits of the 64-bit return value space on the stack, while the Baseline JIT reads the entire 64 bits, exposing uninitialized stack memory. Exploitation requires user interaction (UI:R) and no authentication. Fixes are available: Firefox 141+, Firefox ESR 115.26+, Firefox ESR 128.13+, Firefox ESR 140.1+, Thunderbird 141+, Thunderbird 128.13+, and Thunderbird 140.1+.
Stored Cross-Site Scripting in WP Shortcodes Plugin - Shortcodes Ultimate allows authenticated attackers with Author-level access to inject arbitrary JavaScript through insufficiently sanitized 'Title' and 'Slide link' fields in image uploads, affecting all versions up to 7.4.2. The injected scripts execute in the context of any user viewing affected pages, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified at time of analysis, but the vulnerability requires only standard WordPress Author privileges and network access to exploit.
Reflected and DOM-Based Cross-Site Scripting in Rolantis Information Technologies Agentis (all versions before 4.32) allows remote unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim is tricked into clicking a crafted URL. The Scope:Changed vector indicates injected script executes in the context of a different security origin than the vulnerable component. No public exploit code has been identified and EPSS sits at 0.17% (38th percentile), consistent with an unweaponized, newly disclosed web application flaw reported by Turkey's national CERT (USOM).
Cross-site scripting in HotelRunner's B2B platform allows a high-privileged authenticated attacker to inject malicious scripts into web pages viewed by other users. The Changed scope (S:C) in the CVSS vector confirms the injected payload executes in a victim's browser context, enabling session hijacking or credential theft against other platform users. No public exploit code or active exploitation has been identified at time of analysis; the EPSS score of 0.15% (36th percentile) reflects a low probability of widespread exploitation.
HTTP Response Splitting in HotelRunner's B2B hospitality platform stems from improper certificate-host mismatch validation (CWE-297), enabling an authenticated low-privilege attacker to inject crafted headers into HTTP responses when a victim user interacts with the vulnerable flow. Successful exploitation can lead to cache poisoning, session hijacking, or content injection with limited confidentiality and integrity impact (C:L/I:L). No public exploit exists and EPSS sits at 0.07% (21st percentile), indicating no observed widespread exploitation at time of analysis.