Improper HTML escaping in Svelte versions 5.39.3 through 5.51.4 allows HTML injection attacks through unescaped option element content during server-side rendering, enabling attackers to inject malicious HTML into SSR output. Client-side rendering is unaffected, and the vulnerability is limited to applications using vulnerable Svelte versions on the server. This medium-severity flaw requires upgrading to version 5.51.5 or later, as no patch is currently available for affected versions.
Stored cross-site scripting in LibreNMS versions 24.10.0 through 26.1.1 allows authenticated users to inject malicious scripts through the unsanitized unit parameter in Custom OID configurations, which are then executed when other users view the affected pages. An attacker with login credentials could exploit this to steal session tokens, perform actions on behalf of other administrators, or compromise the monitoring infrastructure. The vulnerability has been patched in version 26.2.0.
Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19. [CVSS 5.3 MEDIUM]
primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).
Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS. [CVSS 5.3 MEDIUM]
Missing Authorization vulnerability in SecuPress SecuPress Free secupress.This issue affects SecuPress Free: from n/a through <= 2.2.5.3. [CVSS 5.3 MEDIUM]
This affects versions of the package bn.j versions up to 5.2.3. is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.3).
uTLS versions 1.6.0 through 1.8.0 fail to properly mimic Chrome's cipher suite selection behavior when using GREASE ECH, randomly choosing ChaCha20 for encrypted client hello while consistently using AES for the outer handshake—a mismatch that does not occur in actual Chrome and creates detectable fingerprints. This inconsistency affects users relying on uTLS for fingerprinting resistance and could enable network observers to distinguish uTLS traffic from legitimate Chrome connections. A patch is available to correct the cipher suite selection logic.
Frappe Learning Management System versions 2.44.0 and below allow unauthenticated attackers to retrieve sensitive details about unpublished courses through API endpoints, exposing course content that should remain restricted. This information disclosure vulnerability affects all users of the affected versions, with no patch currently available pending the 2.45.0 release.
PJSIP versions 2.16 and below contain a heap buffer overflow in the H.264 video unpacketizer that fails to properly validate NAL unit size fields in malformed SRTP packets, allowing remote attackers to trigger memory corruption on systems receiving H.264 video streams. The vulnerability has a CVSS score of 5.3 and enables information disclosure through heap memory access. A patch is available for affected deployments.
Reflected XSS in SVXportal 2.5 and earlier allows unauthenticated attackers to inject malicious JavaScript through an unsanitized search parameter in log.php, enabling session hijacking or unauthorized actions when victims click a crafted link. The vulnerability requires user interaction but has no authentication requirement and affects all users of the vulnerable versions.
SVXportal version 2.5 and earlier allow unauthenticated attackers to perform stored cross-site scripting attacks through the user registration form, where unencoded user inputs are persisted and executed in administrator browsers. An attacker can inject malicious JavaScript via registration fields like firstname, lastname, or email that will trigger when administrators access the users management interface. No patch is currently available for this vulnerability.
SVXportal 2.5 and earlier allows authenticated attackers to inject arbitrary scripts through an unsanitized stationid parameter in radiomobile_front.php, which executes in an administrator's browser context when they visit a crafted URL. This reflected XSS vulnerability enables attackers to hijack admin sessions or execute unauthorized actions with administrative privileges. No patch is currently available.
SVXportal 2.5 and earlier allows authenticated users to inject malicious scripts into user profile fields (firstname, lastname, email, image_url) that execute in administrators' browsers when viewing user management pages. An attacker with a valid account can exploit this stored XSS vulnerability to perform administrative actions or steal session credentials by targeting users with higher privileges. No patch is currently available for this vulnerability.
Reflected XSS in SVXportal 2.5 and earlier allows attackers to inject malicious JavaScript through the search parameter in admin/log.php, which executes in administrators' browsers when they visit a crafted URL. An authenticated attacker could exploit this to steal admin sessions, forge administrative actions, or perform other browser-based attacks with elevated privileges. No patch is currently available.
Kargo versions 1.9.0 through 1.9.2 fail to enforce the custom "promote" authorization verb in three REST API endpoints, allowing authenticated users with standard Kubernetes RBAC permissions to trigger promotions without the intended fine-grained access controls. An attacker with patch permissions on freight status or create permissions on promotions can bypass promotion pipeline restrictions and advance software artifacts unauthorized. A patch is available to restore the missing authorization checks.
Tanium addressed a use-after-free vulnerability in the Cloud Workloads Enforce client extension. [CVSS 4.7 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through <= 2.2.8. [CVSS 7.1 HIGH]
Seraphinite Solutions Seraphinite Accelerator seraphinite-accelerator is affected by missing authorization (CVSS 4.3).
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory. [CVSS 3.7 LOW]
Connections versions up to 7.0 contains a vulnerability that allows attackers to obtain limited information when a single piece of internal metadata is returned (CVSS 3.5).
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. [CVSS 3.3 LOW]
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. [CVSS 2.7 LOW]
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal.
Missing authorization in Dromara RuoYi-Vue-Plus up to version 5.5.3 allows authenticated remote attackers to delete workflow instances without proper access controls via the SaServletFilter component. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The flaw enables low-impact compromise of workflow data integrity with network accessibility and minimal attack complexity.
A vulnerability has been found in rachelos WeRSS we-mp-r versions up to 1.4.8. is affected by cross-site scripting (xss) (CVSS 3.5).
A vulnerability was identified in wren-lang wren up to 0.4.0. This affects the function peekChar of the file src/vm/wren_compiler.c of the component Source File Parser. [CVSS 3.3 LOW]
Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).
Photobooth prior to 1.0.1 has a cross-site scripting (XSS) vulnerability in user input fields. Malicious users could inject scripts through unvalidated form inputs.
Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network...
An integer underflow vulnerability is present in Silicon Lab’s implementation of PSA Crypto and SE Manager EC-JPAKE APIs during ZKP parsing. Triggering the underflow can lead to a hard fault, causing a temporary denial of service.
HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used.
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning.
Certain Samsung MultiXpress Multifunction Printers may be vulnerable to information disclosure, potentially exposing address book entries and other device configuration information through specific APIs without proper authorization.
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
An integer underflow vulnerability in Silicon Labs Secure NCP host implementation allows a buffer overread via a specially crafted packet.