Cross-site scripting (XSS) in Billboard.js versions before 3.18.0 enables remote attackers to inject and execute arbitrary JavaScript through inadequately sanitized chart configuration options, affecting any application using the vulnerable library. The attack requires user interaction but can compromise confidentiality and integrity of affected web applications. No patch is currently available.
Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. [CVSS 6.1 MEDIUM]
A heap buffer over-read in iccDEV versions prior to 2.3.1.2 allows local attackers with user interaction to leak sensitive heap memory contents or crash the application when processing specially crafted ICC color profiles. The vulnerability stems from unsafe handling of non-null-terminated buffers in the strlen() function during ICC profile processing. Users of the iccDEV library should upgrade to version 2.3.1.2 to remediate this issue.
Improper authorization in PHPGurukul Hospital Management System 1.0 allows authenticated attackers to manipulate the Admin Dashboard Page and gain unauthorized access to sensitive functionality. Public exploit code exists for this vulnerability, and no patch is currently available. The network-accessible flaw requires only valid credentials to exploit, enabling attackers to bypass access controls with low complexity.
jshERP versions up to 3.6 contain a path traversal vulnerability in the PluginController's file upload functionality that allows authenticated attackers to read arbitrary files on the server. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite being notified of the issue.
Jirafeau's MIME type validation can be bypassed by sending crafted HTTP requests with invalid MIME types, allowing attackers to trigger browser-based MIME sniffing that may execute malicious JavaScript embedded in SVG or HTML files. An unauthenticated remote attacker can exploit this through a simple network request requiring user interaction to view a malicious preview. A patch is available and the vulnerability affects Jirafeau and related products.
SQL injection in Online Music Site 1.0's AdminAddCategory.php allows remote attackers with high privileges to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.
A vulnerability was identified in D-Link DCS-700L 1.03.09. The affected element is the function uploadmusic of the file /setUploadMusic of the component Music File Upload Service. [CVSS 2.4 LOW]
A vulnerability was identified in rethinkdb versions up to 2.4.3. is affected by cross-site scripting (xss) (CVSS 2.4).
libsoup's HTTP redirect handling fails to strip Proxy-Authorization headers when requests are forwarded to different hosts, allowing proxy credentials to be exposed to unintended third-party servers. Applications relying on libsoup for HTTP communication are vulnerable to disclosure of sensitive proxy authentication data. No patch is currently available.
NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. [CVSS 5.5 MEDIUM]
The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. [CVSS 5.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44. [CVSS 5.4 MEDIUM]
Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2. [CVSS 5.4 MEDIUM]
Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]
The Vzaar Media Management WordPress plugin through version 1.2 contains a reflected cross-site scripting vulnerability in the PHP_SELF variable that lacks proper input sanitization, allowing unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link and tricking users into clicking it, leading to arbitrary script execution in their browsers. No patch is currently available for this vulnerability.
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. [CVSS 5.3 MEDIUM]
Unauthenticated attackers can delete arbitrary calendar entries in the Simple Calendar for Elementor WordPress plugin through versions 1.6.6 due to missing authorization checks on an AJAX function that accepts both authenticated and unauthenticated requests. An attacker only needs a valid nonce and the target calendar entry ID to perform the deletion. No patch is currently available for this vulnerability.
RegistrationMagic (WordPress plugin) versions up to 6.0.7.4. is affected by missing authorization (CVSS 5.3).
Unauthenticated attackers can bypass authorization checks in WordPress form plugins (Database for Contact Form 7, WPforms, Elementor forms) through version 1.4.5 to download CSV exports of all form submissions containing sensitive personally identifiable information. The vulnerability exists because the CSV export endpoint lacks proper capability verification and exports complete datasets regardless of user permissions, while an export key is exposed in publicly accessible page source code. This allows attackers to retrieve sensitive data without authentication or proper authorization.
A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. [CVSS 5.3 MEDIUM]
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. [CVSS 5.3 MEDIUM]
WP Adminify (WordPress plugin) versions up to 4.0.7.7 is affected by information exposure (CVSS 5.3).
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0. [CVSS 5.3 MEDIUM]
Arithmetic overflow in Soroban SDK versions up to 25.0.2 allows contracts using user-controlled range bounds in Bytes::slice, Vec::slice, or Prng::gen_range methods to operate on incorrect data ranges or generate unintended random numbers, potentially corrupting contract state. Developers who do not enable overflow-checks in their Rust configuration are vulnerable to this silent data corruption. A patch is available and should be applied immediately to affected Soroban contracts.
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]
The RustCrypto ml-dsa crate versions 0.0.4 through 0.1.0-rc.3 incorrectly validate ML-DSA digital signatures by accepting duplicate hint indices that should be strictly increasing per the FIPS 204 specification, allowing attackers to forge valid signatures that should be rejected. This regression was introduced by a comparison operator change in version 0.0.4 and affects any application relying on this crate for signature verification. A patch is available in version 0.1.0-rc.4.
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. [CVSS 5.3 MEDIUM]
A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. [CVSS 4.8 MEDIUM]
Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. [CVSS 4.6 MEDIUM]
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. [CVSS 4.6 MEDIUM]
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]
Stored XSS in WP Google Ad Manager Plugin up to version 1.1.0 allows administrators to inject malicious scripts into WordPress pages through insufficiently sanitized admin settings, affecting multi-site installations and configurations with disabled unfiltered_html. Authenticated attackers with administrator privileges can exploit this to execute arbitrary JavaScript that persists and runs for all users visiting affected pages. No patch is currently available.
The Appointment Hour Booking plugin for WordPress through version 1.5.60 allows administrators to inject persistent JavaScript into the form builder interface through inadequately sanitized field configuration parameters. Exploitation requires high-level authenticated access and affects only multisite installations or those with unfiltered HTML disabled. Injected scripts execute in the context of other users accessing the form builder, enabling credential theft or unauthorized actions.
Stored XSS in Ivory Search WordPress plugin up to version 5.5.13 allows administrators to inject malicious scripts into admin settings due to inadequate input sanitization, affecting multi-site installations and those with unfiltered_html disabled. Attackers with admin privileges can execute arbitrary JavaScript that persists and runs for all users accessing affected pages. A patch is not currently available.
Order Minimum/Maximum Amount Limits for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry. [CVSS 4.4 MEDIUM]
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is pat...
Authenticated attackers with Author-level permissions can read, modify, and delete document library entries belonging to other users in the Document Embedder plugin for WordPress through improper access control checks in multiple AJAX handlers. The vulnerability affects all versions up to 2.0.4 and requires no additional user interaction, allowing privilege escalation within the plugin's document management system. No patch is currently available.
An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. [CVSS 4.3 MEDIUM]
The Change WP URL plugin for WordPress through version 1.0 lacks proper nonce validation, allowing unauthenticated attackers to modify the WordPress login URL through cross-site request forgery if they can socially engineer a site administrator into clicking a malicious link. This vulnerability affects all WordPress installations using the vulnerable plugin and enables attackers to redirect administrator access to attacker-controlled pages. No patch is currently available.
The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]
Bitcoin Donate Button (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Unauthenticated attackers can modify WordPress imwptip plugin settings through cross-site request forgery attacks by exploiting missing nonce validation in versions up to 1.1. An attacker can trick site administrators into clicking a malicious link to alter plugin configurations without authentication. No patch is currently available for this vulnerability.