Skip to main content
CVE-2026-20163 HIGH This Week

Arbitrary shell command execution in Splunk Enterprise and Cloud Platform allows authenticated users with the edit_cmd capability to inject commands through the unarchive_cmd parameter in the preview upload endpoint. Affected versions include Splunk Enterprise below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, as well as corresponding Cloud Platform versions. An attacker with high-privilege roles could achieve remote code execution on vulnerable systems, though no patch is currently available.

Command Injection Splunk Splunk Cloud Platform
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-32063 HIGH PATCH This Week

OpenClaw versions prior to 2026.2.21 allow local attackers with limited privileges to inject arbitrary systemd directives through unvalidated environment variables in unit file generation, enabling command execution with gateway service privileges. By manipulating config.env.vars and triggering service installation or restart, an attacker can bypass Environment= line constraints via newline injection to achieve arbitrary code execution. No patch is currently available for this command injection vulnerability.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-32126 HIGH This Week

OpenEMR versions prior to 8.0.0.1 contain an inverted boolean condition in the access control logic that allows any authenticated user to access administrative CDR controllers (alerts, ajax, edit, add, detail, browse) intended for administrators only. Affected users can suppress clinical decision support alerts, delete or modify clinical plans, and edit rule configurations without proper authorization. No patch is currently available for this high-severity vulnerability.

Authentication Bypass Openemr
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-2466 HIGH This Week

DukaPress WordPress plugin versions up to 3.2.4 contain a reflected XSS vulnerability due to improper input sanitization and output encoding, allowing attackers to inject malicious scripts that execute in the browsers of high-privilege users like administrators. The vulnerability requires user interaction to exploit and can result in session hijacking, credential theft, or unauthorized administrative actions. No patch is currently available.

WordPress XSS
NVD WPScan
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-2368 HIGH This Week

Lenovo Filez fails to properly validate SSL/TLS certificates, enabling network-positioned attackers to intercept traffic and execute arbitrary code on affected systems. An attacker with the ability to perform man-in-the-middle attacks can exploit this weakness to compromise user devices without authentication. No patch is currently available to remediate this vulnerability.

Authentication Bypass RCE
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-30901 HIGH This Week

Improper Input Validation in Zoom Room versions up to 6.6.5 is affected by improper input validation (CVSS 7.0).

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-31988 MEDIUM PATCH This Month

Denial of service in yauzl 3.2.0 (Node.js zip parsing library) allows remote attackers to crash applications by submitting malformed zip files with specially crafted NTFS timestamp fields that trigger an out-of-bounds buffer read. The vulnerability affects any Node.js application that processes untrusted zip uploads and extracts file modification dates. No patch is currently available.

Node.js Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-1716 MEDIUM This Month

Lenovo Vantage and Baiying DeviceSettingsSystemAddin contain an input validation flaw that allows authenticated local users to delete arbitrary registry keys with elevated privileges. This vulnerability affects systems where users have local access and could enable attackers to modify system configuration or disable security controls. No patch is currently available.

Information Disclosure Lenovo
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-1715 MEDIUM This Month

Lenovo Vantage and Baiying DeviceSettingsSystemAddin contains an input validation flaw that allows authenticated local users to modify arbitrary registry keys with system-level privileges. This vulnerability could enable privilege escalation or system configuration tampering by an attacker with local access. No patch is currently available.

Information Disclosure Lenovo
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-21360 MEDIUM This Month

Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 contain a path traversal vulnerability that allows high-privileged attackers to bypass security controls and access files outside intended directories. The vulnerability requires administrative credentials but no user interaction for exploitation, potentially exposing sensitive data. No patch is currently available for affected versions.

Adobe Path Traversal Commerce B2b Commerce Magento
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-20118 MEDIUM This Month

Network interface denial of service in Cisco IOS XR on NCS 5500/5700 routers allows unauthenticated remote attackers to disable packet processing by sending crafted traffic that triggers EPNI Aligner interrupt corruption during heavy transit conditions. Successful exploitation causes the network processing unit and ASIC to stop functioning, rendering affected interfaces unable to forward traffic. No patch is currently available for this medium-severity vulnerability.

Cisco Denial Of Service
NVD VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-32112 MEDIUM PATCH This Month

Medium severity vulnerability in Home Assistant MCP. #

Python XSS Home Assistant Mcp Server
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-32103 MEDIUM PATCH This Month

Medium severity vulnerability in StudioCMS. The POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/d...

Authentication Bypass Studiocms
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-1753 MEDIUM This Month

Gutena Forms WordPre versions up to 1.6.1 is affected by authorization bypass through user-controlled key (CVSS 6.8).

WordPress Authentication Bypass
NVD WPScan
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-1717 MEDIUM This Month

LenovoProductivitySystemAddin in Lenovo Vantage and Baiying contains an input validation flaw that enables local authenticated users to terminate arbitrary processes with elevated privileges. This medium-severity vulnerability (CVSS 6.8) requires local access and valid credentials but poses a significant availability risk. No patch is currently available.

Information Disclosure Lenovo
NVD VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-32229 MEDIUM This Month

JetBrains Hub versions prior to 2026.1 contain an authentication bypass vulnerability where attackers with valid credentials can gain unauthorized access to accounts through sign-in mismatches when SSO is disabled and two-factor authentication is not configured. An authenticated attacker can exploit this to achieve both confidentiality and integrity violations. No patch is currently available for this vulnerability.

Authentication Bypass Hub
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2024-14025 MEDIUM This Month

An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.

SQLi Video Station
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-0940 MEDIUM This Month

Improper BIOS initialization in certain ThinkPad models enables local privileged users to modify system data and execute arbitrary code with high integrity impact. The vulnerability requires elevated privileges and local access, posing a risk to organizations where administrative users may be compromised or untrusted. No patch is currently available.

NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-24510 MEDIUM This Month

Dell Alienware Command Center versions before 6.12.24.0 suffer from improper privilege management that allows local attackers with low privileges to escalate their access on affected systems. An attacker with physical or local system access combined with user interaction could gain elevated privileges, potentially compromising system integrity and confidentiality. No patch is currently available for this vulnerability.

Privilege Escalation Dell
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2024-14024 MEDIUM This Month

An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system.

Information Disclosure Video Station
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-30235 MEDIUM This Month

web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).

XSS Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-32102 MEDIUM PATCH This Month

### Summary OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure. I validated this on OliveTin 3000.10.2. ### Details The issue is in the live event streaming path. EventStream() only checks whether the caller may access the dashboard, then registers the user as a stream subscriber: - service/internal/api/api.go:776 After subscription, execution events are broadcast to all connected clients without checking whether each recipient is authorized to view logs for the action: - service/internal/api/api.go:846 OnExecutionStarted - service/internal/api/api.go:869 OnExecutionFinished - service/internal/api/api.go:1047 OnOutputChunk The event payload includes action output through: - service/internal/api/api.go:295 internalLogEntryToPb - service/internal/api/api.go:302 Output By contrast, the normal log APIs do apply per-action authorization checks: - service/internal/api/api.go:518 GetLogs - service/internal/api/api.go:585 GetActionLogs - service/internal/api/api.go:544 isLogEntryAllowed Root cause: - the subscription path enforces only coarse dashboard access - execution callbacks broadcast to every connected client - no per-recipient ACL check is applied before sending action metadata or output I validated the issue using: - an admin user with full ACLs - an alice user with no ACLs - a protected action that outputs TOPSECRET=alpha-bravo-charlie Despite having no relevant ACLs, alice still receives the ExecutionFinished event for the privileged action, including the protected output. ### PoC Tested version: ``` - 3000.10.2 ``` 1. Fetch and check out 3000.10.2 in a clean worktree: ```bash git -C OliveTin fetch origin tag 3000.10.2 git -C OliveTin worktree add /home/kali/CVE/OliveTin-3000.10.2 3000.10.2 ``` 2. Copy the PoC test into the clean tree: ```bash cp OliveTin/service/internal/api/event_stream_leak_test.go \ OliveTin-3000.10.2/service/internal/api/ ``` 3. Run the targeted PoC test: ```bash cd OliveTin-3000.10.2/service go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v ``` 4. Optional: save validation output: ```bash go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v \ 2>&1 | tee /tmp/olivetin_eventstream_3000.10.2.log ``` Observed validation output: ```bash === RUN TestEventStreamLeaksUnauthorizedExecutionOutput time="2026-03-01T04:44:59-05:00" level=info msg="Action requested" actionTitle=secret-action tags="[]" time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - Before" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'" time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - After" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'" time="2026-03-01T04:44:59-05:00" level=info msg="Action started" actionTitle=secret-action timeout=1 time="2026-03-01T04:44:59-05:00" level=info msg="Action finished" actionTitle=secret-action exit=0 outputLength=30 timedOut=false --- PASS: TestEventStreamLeaksUnauthorizedExecutionOutput (0.00s) PASS ok github.com/OliveTin/OliveTin/internal/api 0.025s ``` What this proves: - admin can execute the protected action - alice has no ACLs - alice still receives the streamed completion event for the protected action - protected action output is exposed through the event stream ### Impact This is an authenticated broken access control / information disclosure vulnerability. A low-privileged authenticated user can subscribe to EventStream and receive: - action execution metadata - execution tracking IDs - initiating username - live output chunks - final command output Who is impacted: - multi-user OliveTin deployments - environments where privileged actions produce secrets, tokens, internal system details, or other sensitive operational output - deployments where lower-privileged authenticated users can access the dashboard and subscribe to live events This bypasses intended per-action log/view restrictions for protected actions.

Information Disclosure Authentication Bypass Olivetin Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-1965 MEDIUM PATCH This Month

libcurl incorrectly reuses authenticated connections when processing Negotiate authentication requests, allowing an attacker with valid credentials to access resources authenticated under different user accounts. An authenticated attacker can exploit this connection pooling logic error to bypass authentication checks by reusing an existing connection that was authenticated with different credentials. This affects libcurl implementations using Negotiate authentication where multiple users access the same server.

Information Disclosure Curl Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-13690 MEDIUM This Month

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 versions up to 18.7.6 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-32094 MEDIUM PATCH This Month

Shescape versions prior to 2.1.10 fail to properly escape square-bracket glob patterns in Bash, BusyBox sh, and Dash, allowing attackers to manipulate shell arguments into multiple filesystem expansions instead of literal strings. Applications using the library's escape() function are vulnerable to argument injection attacks where an attacker-controlled value like "secret[12]" could expand to match multiple files, bypassing intended pathname restrictions. No patch is currently available for affected deployments.

Information Disclosure Shescape
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32108 MEDIUM PATCH This Month

A security vulnerability in Copyparty (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Copyparty
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1781 MEDIUM This Month

Unauthenticated attackers can arbitrarily unsubscribe email addresses from Mailchimp audiences through the MC4WP: Mailchimp for WordPress plugin (versions up to 4.11.1) by manipulating the unvalidated _mc4wp_action POST parameter, requiring only publicly exposed form IDs. This missing authorization vulnerability allows bulk email removal operations without authentication, impacting any WordPress site using the affected plugin with a connected Mailchimp account. No patch is currently available to address this issue.

WordPress Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3937 MEDIUM PATCH This Month

Incorrect security UI in Downloads in Google Chrome on Android versions up to 146.0.7680.71 contains a security vulnerability.

Google Information Disclosure Chrome Android Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-12576 MEDIUM This Month

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 versions up to 18.7.6 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30234 MEDIUM This Month

OpenProject versions prior to 17.2.0 allow authenticated users with BCF import permissions to read arbitrary files from the server through path traversal in crafted .bcf archive uploads. An attacker can manipulate the Snapshot field in markup.bcf to reference absolute or traversal paths (such as /etc/passwd), enabling unauthorized file disclosure within the application's read permissions. This vulnerability requires valid project member credentials and no patch is currently available.

Path Traversal Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3935 MEDIUM PATCH This Month

Incorrect security UI in WebAppInstalls in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.

Google Information Disclosure Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20164 MEDIUM This Month

Splunk Enterprise and Cloud Platform versions below specified thresholds fail to properly restrict access to the passwords configuration API endpoint, allowing low-privileged users without admin or power roles to retrieve hashed or plaintext credential values from passwords.conf. This information disclosure vulnerability could enable attackers to obtain sensitive authentication credentials for further system compromise. No patch is currently available.

Information Disclosure Splunk Splunk Cloud Platform
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23817 MEDIUM This Month

web-based management interface of AOS-CX Switches is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).

Open Redirect
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28803 MEDIUM This Month

Open Forms versions prior to 3.3.13 and 3.4.5 allow authenticated attackers to access arbitrary form submissions through submission reference enumeration or manipulation in the cosigning workflow. An attacker with valid credentials can guess or modify cosigner codes to retrieve submissions they should not have access to, resulting in unauthorized information disclosure.

Authentication Bypass Open Forms
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30239 MEDIUM This Month

Unauthorized budget assignment deletion in OpenProject prior to 17.2.0 allows any authenticated user to remove work package budget associations due to insufficient authorization checks being performed after the deletion operation. This improper access control enables users without proper permissions to manipulate budget data, potentially disrupting project financial tracking and resource allocation. A patch is available in version 17.2.0 and later.

Authentication Bypass Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3934 MEDIUM PATCH This Month

Insufficient policy enforcement in ChromeDriver in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.

Google Authentication Bypass Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3534 MEDIUM This Month

Stored cross-site scripting in the Astra WordPress theme through versions 4.12.3 allows authenticated contributors and higher-privileged users to inject malicious scripts into post meta fields that execute when pages are viewed. The vulnerability stems from improper sanitization of background-related meta fields and missing output escaping in CSS property handling. Attackers with contributor-level access can compromise page content and redirect or manipulate user sessions.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2707 MEDIUM This Month

Stored XSS in the weForms WordPress plugin allows authenticated users with Subscriber-level access to inject malicious scripts through REST API form submissions, bypassing the sanitization applied to frontend submissions. The vulnerability exists in versions up to 1.6.27 due to inconsistent input validation between the AJAX handler and REST API endpoint, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers. No patch is currently available.

WordPress PHP XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2358 MEDIUM This Month

Stored XSS in the WP ULike WordPress plugin up to version 5.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts into pages through the shortcode template attribute, which executes when visitors view affected content. The vulnerability stems from improper use of html_entity_decode() that circumvents WordPress sanitization filters, requiring at least one like on a post to trigger payload execution. No patch is currently available.

WordPress XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2918 MEDIUM This Month

Authenticated contributors to WordPress sites running Happy Addons for Elementor up to version 3.21.0 can modify display conditions of published templates due to improper authorization checks in the `ha_condition_update` AJAX action and missing capability validation in `ha_get_current_condition`. The vulnerability allows attackers to alter template visibility rules and potentially inject unescaped content into HTML attributes, affecting site content delivery and potentially enabling stored XSS attacks.

WordPress XSS Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3492 MEDIUM This Month

Stored XSS in Gravity Forms WordPress plugin through version 2.9.28.1 allows authenticated subscribers and above to inject malicious JavaScript via the form creation endpoint, which executes when administrators interact with the Form Switcher dropdown. The vulnerability stems from inadequate input sanitization and missing output escaping in the form title field. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2569 MEDIUM This Month

Stored XSS in Dear Flipbook WordPress plugin through version 2.4.20 allows authenticated users with Author privileges or higher to inject malicious scripts via PDF page labels due to inadequate input sanitization. These injected scripts execute in the browsers of any user viewing the affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-32128 MEDIUM This Month

FastGPT's Python Sandbox in versions 4.14.7 and earlier allows authenticated users to bypass file write restrictions by remapping standard output to arbitrary file descriptors via fcntl, enabling unauthorized file creation and modification within the container. The vulnerability exploits a gap between static detection and seccomp filtering, where remapped stdout still satisfies the write syscall rules. An attacker with sandbox access could create or overwrite arbitrary files despite the intended file system restrictions.

Python AI / ML
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-20165 MEDIUM This Month

Improper access control in Splunk Enterprise and Cloud Platform versions below specified thresholds allows low-privileged users without admin or power roles to extract sensitive information from job search logs through the MongoClient logging channel. Affected versions include Enterprise 10.2.1, 10.0.4, 9.4.9, and 9.3.10, as well as corresponding Cloud Platform releases. No patch is currently available for this medium-severity vulnerability.

Information Disclosure Splunk Splunk Cloud Platform
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-20162 MEDIUM This Month

Stored XSS via path traversal in Splunk Enterprise and Cloud Platform allows low-privileged users to inject malicious JavaScript into Views, compromising any user who visits the affected page. An attacker must socially engineer a victim into initiating the malicious request, but no special privileges or user interaction beyond initial page load is required. Affected versions include Splunk Enterprise below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, with no patch currently available.

XSS Path Traversal Splunk Splunk Cloud Platform
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-30868 MEDIUM This Month

OPNsense prior to version 26.1.4 contains a CSRF vulnerability where state-changing API endpoints accept HTTP GET requests without proper anti-CSRF protections, allowing authenticated users to be tricked into triggering unintended system operations. An attacker can craft a malicious website that, when visited by an authenticated OPNsense administrator, performs unauthorized configuration changes or service reloads through the vulnerable endpoints. No patch is currently available for this medium-severity vulnerability affecting OPNsense firewall deployments.

CSRF Opnsense
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-3904 MEDIUM PATCH This Month

Denial of service in GNU C Library 2.36 on x86_64 systems occurs when nscd-backed functions trigger a race condition in the optimized memcmp implementation, allowing concurrent thread modification of input data to cause application crashes. This affects any application using NSS caching functionality under high load conditions. No patch is currently available.

Denial Of Service Glibc
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-12473 MEDIUM This Month

The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-31859 MEDIUM PATCH This Month

Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.

PHP XSS Craft Cms
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31868 MEDIUM PATCH This Month

Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.

Node.js XSS Parse Server
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
Prev Page 4 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy