Stored XSS in OpenEMR prior to 8.0.0.2 allows authenticated users with the "Notes - my encounters" role to inject malicious JavaScript into Eye Exam form fields, which executes when other users with the same role view the form responses. An attacker can exploit this to steal session tokens, perform unauthorized actions, or compromise patient data through form manipulation. No patch is currently available for affected versions.
Stored XSS in FreeScout 1.8.208 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading a malicious SVG file with a .png extension and image/svg+xml content type, bypassing both the attachment view logic and SVG sanitizer. The vulnerability exploits a fallback mechanism that unsafely processes invalid XML, enabling script execution when the file is rendered inline. An attacker with upload permissions can compromise other users' sessions and data through this cross-site scripting attack.
HCL Connections contains a reflected or stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious JavaScript into the application, which executes in the browsers of other users who interact with the crafted payload. An attacker with valid credentials can steal session cookies and authentication tokens, potentially compromising victim accounts and enabling further attacks such as lateral movement or data exfiltration. The vulnerability requires user interaction and authentication to exploit, resulting in a CVSS score of 5.4 (Medium severity), though the impact is cross-site scope.
Stored XSS in OpenEMR versions before 8.0.0.2 allows authenticated patient portal users to inject malicious scripts into their login username, which execute in the browsers of clinic staff when viewing the portal credential creation page. This vulnerability enables attackers to compromise staff and admin sessions through the patient context, potentially leading to unauthorized access or data manipulation within the healthcare system. A patch is available in version 8.0.0.2 and later.
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain an unauthenticated open redirect vulnerability in the WebToLead feature that allows attackers to redirect users to arbitrary external websites by manipulating an unvalidated POST parameter. An attacker can leverage the trusted SuiteCRM domain to conduct phishing and social engineering attacks against users without requiring authentication or user interaction beyond clicking a malicious link. No patch is currently available for affected versions.
IBM QRadar SIEM contains a reflected or stored cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code, potentially altering system functionality and compromising the integrity of security monitoring. The vulnerability affects QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14. An attacker with valid credentials can craft malicious payloads to execute client-side code in the context of other users' sessions, leading to session hijacking, credential theft, or unauthorized configuration changes. A patch is available from IBM, and this vulnerability is not currently listed in CISA's KEV catalog, suggesting limited evidence of active exploitation in the wild at this time.
IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain a cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter UI functionality and potentially steal session credentials or perform actions on behalf of the victim user within their trusted session. A patch is available from the vendor, though no public exploitation toolkit or widespread active exploitation has been reported at the time of this analysis.
A remote code execution vulnerability in Discourse (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in OpenEMR (CVSS 5.4) that allows any authenticated openemr user. Remediation should follow standard vulnerability management procedures.
Stored cross-site scripting in the WWBN/AVideo CDN plugin allows authenticated attackers to inject malicious JavaScript through improperly sanitized video titles, which executes when users access download pages. An attacker with video creation or modification privileges can compromise any user viewing the affected download interface. No patch is currently available for PHP and Python implementations.
OpenClaw versions prior to 2026.2.19 allow local attackers with limited privileges to execute arbitrary commands through the Lobster extension's Windows shell fallback mechanism by injecting malicious arguments into workflow processes. The vulnerability exploits cmd.exe command interpretation when spawn operations fail and trigger shell execution, enabling command injection with potential impact on system integrity and availability. A patch is available for affected versions.
A remote code execution vulnerability in Instant Popup Builder (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
M365 Copilot is vulnerable to command injection that enables unauthenticated remote attackers to extract sensitive information through the network. The vulnerability stems from inadequate sanitization of special characters in command inputs, requiring user interaction to trigger. No patch is currently available for this medium-severity flaw.
OPEXUS eComplaint versions before 10.1.0.0 allow unauthenticated attackers to enumerate case numbers and upload arbitrary files to the public document upload interface, potentially cluttering cases with malicious content and consuming server storage. The vulnerability requires user interaction but has no authentication requirements, affecting all instances running vulnerable versions with no available patch.
Unauthorized access to hidden post revisions in Discourse through version enumeration allows unauthenticated users to bypass authorization checks and read staff-concealed edit history. The /posts/:id.json endpoint fails to validate user permissions before displaying revision content, enabling attackers to enumerate version numbers and access sensitive historical data. Affected deployments should upgrade to versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 as no workarounds are available.
OpenClaw versions before 2026.2.23 allow authenticated users to bypass sandbox restrictions and read files outside the intended workspace by exploiting inadequate path validation in the sandboxed image tool. An attacker with valid credentials can exfiltrate sensitive files by leveraging vision model provider integrations, compromising the confidentiality of restricted data.
WP eMember through version 10.2.2 contains an authorization bypass flaw that allows unauthenticated remote attackers to circumvent access control restrictions and view protected content. The vulnerability stems from improper validation of security level configurations, enabling unauthorized information disclosure without user interaction. No patch is currently available for this issue.
A remote code execution vulnerability in Discourse (CVSS 5.3) that allows restricted post action counts. Remediation should follow standard vulnerability management procedures.
OpenClaw versions before 2026.3.2 are vulnerable to a race condition in ZIP extraction that permits local attackers with limited privileges to write arbitrary files outside the intended extraction directory. By manipulating symlinks between path validation and write operations, an attacker can achieve arbitrary file placement on the system. A patch is available to resolve this integrity issue.
DiceBear avatar generation libraries (@dicebear/core and @dicebear/initials) are vulnerable to stored XSS through unescaped SVG attributes when user-supplied options like backgroundColor, fontFamily, and textColor are directly interpolated into SVG output. Attackers can inject malicious JavaScript that executes when the resulting SVG is rendered inline or served with SVG content-type, affecting any application that passes untrusted input to the createAvatar() function. No patch is currently available.
Linkit ONE Location Aware Sensor System (LASS) up to commit f06bd20 contains reflected cross-site scripting (XSS) in PM25.php that permits remote attackers to execute arbitrary JavaScript in victim browsers through unencoded GET parameters (site, city, district, channel, apikey). The vulnerability affects a sensor data collection platform and carries a low exploitation probability (EPSS 0.21%, percentile 43%), suggesting limited real-world attack activity despite public disclosure through VulnCheck.
This vulnerability is a stored/reflected cross-site scripting (XSS) flaw in OPEXUS eComplaint and eCASE that allows authenticated attackers to inject malicious JavaScript into the 'Name of Organization' field during case creation. When a victim views the affected case information page, the unvalidated payload executes in their browser session, potentially leading to session hijacking, credential theft, or unauthorized actions. With a CVSS score of 5.5 (medium severity) requiring low attack complexity and user interaction, this represents a meaningful risk to authenticated users, though the requirement for prior authentication and user interaction limits its immediate exploitability.
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE platforms where the first and last name fields in the 'My Information' screen fail to properly sanitize user input. An authenticated attacker can inject malicious JavaScript code into these fields, which executes in the context of victim sessions when the full name is rendered, allowing credential theft, session hijacking, or malicious actions on behalf of the victim. The CVSS 5.5 score reflects moderate risk (low integrity/confidentiality/availability impact) mitigated by authentication requirements and user interaction necessity, though the practical risk depends on deployment context and whether patches are available.
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE versions before 10.2.0.0, where user profile first and last name fields lack proper input sanitization. An authenticated attacker can inject malicious JavaScript payloads into these fields, which execute in the context of any victim's session when the attacker's full name is rendered, allowing theft of session tokens, credential harvesting, or account manipulation. The vulnerability carries a CVSS 5.5 (medium) score but poses real risk due to its authenticated-but-no-special-privileges requirement and user interaction dependency; exploitation is likely straightforward given the simplicity of XSS injection techniques.
IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain a cross-tenant information disclosure vulnerability that allows an authenticated attacker with access to one tenant account to retrieve hostname data belonging to other tenants. The vulnerability has a CVSS score of 5.0 with low attack complexity and requires only user-level privileges, making it a practical risk in multi-tenant deployments. A patch is available from IBM, and there is no indication of active exploitation in the wild or public proof-of-concept code.
Server-Side Request Forgery in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to craft malicious PDF templates containing image tags that trigger server-side HTTP requests when PDFs are generated. An attacker with login credentials can exploit this to scan internal networks, access local services, or exfiltrate data from the server's perspective. No patch is currently available for affected versions.
The BulkEmbed plugin in AVideo fails to validate thumbnail URLs in its save endpoint, allowing authenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and retrieve responses from internal network resources. An attacker can supply malicious URLs via the bulk embed feature to force the server to make HTTP requests to internal systems and view the cached thumbnail responses. This vulnerability affects PHP-based AVideo installations and requires authentication to exploit.
Heap buffer overflow in wolfSSL's session deserialization function allows local attackers with low privileges to corrupt heap memory by crafting malicious session data with invalid certificate lengths. The vulnerability affects systems with SESSION_CERTS enabled that load external session data, requiring user interaction or specific configuration to exploit. No patch is currently available.
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain a denial-of-service vulnerability that allows authenticated attackers with high privileges to crash the application through path traversal manipulation. An attacker with administrative credentials can exploit this remotely to disrupt service availability without requiring user interaction. No patch is currently available for this vulnerability.
Path traversal in SuiteCRM's ModuleBuilder module (versions prior to 7.15.1 and 8.9.3) allows authenticated administrators to read arbitrary files from the server by manipulating the `$modules` and `$name` parameters, which are improperly validated before being used in file operations. An attacker with ModuleBuilder access can exploit this to copy sensitive files from any readable directory into the web root, exposing their contents through the web server.
A security vulnerability in versions (CVSS 4.9). Remediation should follow standard vulnerability management procedures.
OpenClaw versions before 2026.2.22 contain an allowlist parsing flaw in the macOS companion app that enables authenticated operators with elevated privileges to bypass command execution controls and run arbitrary commands on paired hosts. The vulnerability affects systems with operator.write access and macOS beta nodes, allowing attackers to craft malicious shell-chain payloads that circumvent validation checks. A security patch is available.
OpenClaw server-http versions before 2026.2.26 permit unauthenticated access to protected plugin channel APIs through path canonicalization mismatches between gateway and routing handlers. Remote attackers can exploit this authentication bypass by crafting requests with alternative path encodings to reach sensitive endpoints without valid credentials. No patch is currently available for this medium-severity issue.
CVE-2026-3580 is a security vulnerability (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
OpenClaw prior to version 2026.2.23 allows local authenticated attackers to inject malicious code into exported HTML sessions through specially crafted mimeType values in image content blocks. When a user opens the exported HTML file, the injected code executes arbitrary JavaScript in their browser context. Exploitation requires local access and user interaction to open the malicious HTML file.
JRuby's BCrypt implementation suffers from a signed integer overflow when the cost parameter is set to 31, causing the key-strengthening loop to execute zero iterations and reducing password hashing to a negligible computational cost. Applications using bcrypt-ruby with cost=31 generate seemingly valid hashes that verify correctly but provide virtually no protection against brute-force attacks. No patch is currently available for this vulnerability.
CVE-2026-33326 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
Authenticated users can inject persistent JavaScript through malicious DOT graph definitions in the discourse-graphviz plugin on Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, enabling stored XSS attacks when Content Security Policy is disabled. Affected instances should upgrade to patched versions, disable the plugin, or enforce a CSP as a temporary mitigation, as no patch is currently available for all deployment scenarios.
DOM-based stored XSS in OpenEMR's SearchHighlight plugin (versions prior to 8.0.0.2) enables authenticated users with encounter form write access to inject malicious JavaScript that executes in other clinicians' browsers during report searches. An attacker can leverage this to steal session tokens, modify patient data, or perform actions on behalf of targeted medical staff. The vulnerability stems from improper handling of HTML entity decoding when parsing search results.
Unauthorized user warnings in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 can be issued by authenticated non-staff users due to a type coercion flaw in the post actions API endpoint. Attackers with valid login credentials can exploit this to send warnings meant only for staff moderators, though no data exposure or further privilege escalation occurs. No patch workaround is currently available.
The `listFiles.json.php` endpoint in AVideo accepts an unsanitized POST parameter `path` and passes it directly to PHP's `glob()` function without restricting traversal to an allowed base directory, enabling authenticated uploaders to enumerate `.mp4` files anywhere on the server filesystem. An attacker with the standard `canUpload` permission can discover private, premium, or access-controlled video files stored outside the intended upload directory by supplying arbitrary absolute paths, revealing both filenames and full filesystem paths that may aid further exploitation. A proof-of-concept is available demonstrating traversal from the web root to arbitrary locations such as `/var/private/premium-content/` and the root filesystem.
The Download Manager plugin for WordPress contains a missing capability check in the 'reviewUserStatus' function that allows authenticated subscribers and above to access sensitive user information without proper authorization. Affected versions include all releases up to and including 3.3.49, enabling attackers with minimal privileges to retrieve email addresses, display names, and registration dates for any user on the site. While the CVSS score of 4.3 is moderate and the vulnerability requires authentication, the ease of exploitation and the breadth of exposed personal data present a meaningful information disclosure risk for WordPress installations using this plugin.
A remote code execution vulnerability in Discourse (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
CVE-2026-3503 is a security vulnerability (CVSS 4.3) that allows a physical attacker. Remediation should follow standard vulnerability management procedures.
The Add Custom Fields to Media WordPress plugin versions up to 2.0.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the field deletion functionality that allows unauthenticated attackers to delete arbitrary custom media fields. The vulnerability exists because the plugin validates nonces for the 'add field' operation but fails to validate nonces on the 'delete field' operation, which processes the $_GET['delete'] parameter directly. An attacker can exploit this by tricking a site administrator into clicking a malicious link, resulting in unauthorized deletion of custom media field configurations with no authentication required beyond social engineering.
Discourse's profile hiding feature fails to protect user bio, location, and website fields when accessed through onebox previews, allowing authenticated attackers to retrieve this information despite the `hide_profile` setting. An attacker can request a onebox preview of a hidden user's profile URL to bypass privacy controls and expose sensitive profile data. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, with no workarounds currently available.
Insufficient sanitization of Codepen iframe parameters in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows authenticated attackers to manipulate users into changing the main page URL through social engineering. The vulnerability requires user interaction and network access but has no available patch, making disabling Codepen embeds the recommended mitigation.
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in Signal group allowlist enforcement where the system incorrectly accepts sender identities derived from direct message (DM) pairing-store approvals. An authenticated attacker with low privileges can exploit this boundary weakness by obtaining DM pairing approval, allowing them to bypass group allowlist checks and gain unauthorized access to Signal groups. While the CVSS score is moderate (3.7) and attack complexity is high, the vulnerability represents a direct authentication control bypass in a messaging security context, and patches are available from the vendor.
OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads.
CVE-2026-32006 is a security vulnerability (CVSS 3.1). Remediation should follow standard vulnerability management procedures.