A Cross-Site Scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0, specifically in the /add_result.php file where the 'vr' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. A public proof-of-concept exploit is available on GitHub, and while the CVSS score is low (2.4), the vulnerability is actively documented in security databases and poses a real risk in educational environments.
This vulnerability in Dahua NVR/XVR devices allows unauthenticated privilege escalation through the serial port console by bypassing shell authentication mechanisms. Affected devices include Dahua NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T models with build dates prior to March 3, 2026. An attacker with physical access to the device can gain a restricted shell and escalate privileges to access sensitive system functions, though the CVSS 2.4 score reflects the requirement for physical proximity and lack of data availability impact.
A security vulnerability in version 5.1.1 and (CVSS 2.3) that allows users. Remediation should follow standard vulnerability management procedures.
OpenClaw versions prior to 2026.2.21 are vulnerable to prototype pollution attacks via the /debug set endpoint, allowing authenticated attackers to inject reserved prototype keys (__proto__, constructor, prototype) and manipulate object prototypes to bypass command gate restrictions. The vulnerability requires authenticated access and has relatively low real-world exploitability due to high attack complexity, but presents a meaningful integrity risk for authorized users who may not be aware of this attack vector. A patch is available from the vendor.
An out-of-bounds array write vulnerability exists in Xpdf versions 4.06 and earlier, stemming from improper validation of the 'N' field in ICCBased color spaces within PDF documents. This buffer overflow vulnerability affects all versions of Xpdf up to and including 4.06, potentially allowing attackers to achieve arbitrary code execution or denial of service by crafting malicious PDF files with specially crafted color space definitions. No CVSS score or EPSS data is currently available, and active exploitation status is not confirmed in public sources.
The pkgutil.get_data() function in CPython fails to properly validate the resource argument, enabling path traversal attacks that allow unauthorized information disclosure. This vulnerability affects CPython across multiple versions and could permit attackers to read arbitrary files from the system where Python code is executing. A patch is available from the Python Software Foundation, and the vulnerability has been documented with proof-of-concept references in the official CPython repository.
The Nhost storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection, allowing attackers to upload files with spoofed MIME types that bypass bucket-level MIME restrictions. This affects the Go module github.com/nhost/nhost and could cause downstream systems (browsers, CDNs, applications) to mishandle files based on false type metadata. While the CVSS vector indicates low immediate severity due to requiring user interaction and lacking direct confidentiality or availability impact, the metadata corruption poses integrity risks for systems relying on accurate file type information.
A stored or reflected cross-site scripting (XSS) vulnerability exists in Portabilis i-Educar 2.11 through improper input validation on the Name parameter in the /intranet/educar_servidor_curso_lst.php endpoint. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially enabling session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts, indicating no patch is currently available.
A reflected cross-site scripting (XSS) vulnerability exists in TRENDnet TEW-824DRU wireless router firmware versions 1.010B01 and 1.04B01, affecting the apply_sec.cgi web interface component. An authenticated attacker can inject malicious JavaScript through the Language parameter in the sub_420A78 function, which is then executed in the context of another user's browser session. The vulnerability is publicly exploitable (working proof-of-concept available on GitHub), has a low CVSS score (3.5) due to authentication requirements and user interaction, but represents a real security concern for router administration interfaces where multiple users may access the web UI.