Monthly
Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
{ external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.
CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]
Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]
Improper input neutralization in Palo Alto Networks PAN-OS management web interface allows authenticated high-privilege administrators to bypass system restrictions and execute arbitrary commands through command injection. The vulnerability affects PAN-OS across multiple versions (specific version ranges not independently confirmed from provided data), with a low EPSS exploitation probability (0.06%, 17th percentile) and no confirmed active exploitation or public proof-of-concept. Risk is significantly reduced when CLI access is restricted to a limited administrator group; Cloud NGFW and Prisma Access are unaffected.
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Script in Attributes in a Web Page vulnerability in Forcepoint Email Security (Blocked Messages module) allows Stored XSS.5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
{ external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.
CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]
Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]
Improper input neutralization in Palo Alto Networks PAN-OS management web interface allows authenticated high-privilege administrators to bypass system restrictions and execute arbitrary commands through command injection. The vulnerability affects PAN-OS across multiple versions (specific version ranges not independently confirmed from provided data), with a low EPSS exploitation probability (0.06%, 17th percentile) and no confirmed active exploitation or public proof-of-concept. Risk is significantly reduced when CLI access is restricted to a limited administrator group; Cloud NGFW and Prisma Access are unaffected.
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Script in Attributes in a Web Page vulnerability in Forcepoint Email Security (Blocked Messages module) allows Stored XSS.5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.