Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-5259

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-10 Mar, 2020 | 17:50
Updated At-04 Aug, 2024 | 08:22
Rejected At-
Credits

Prototype Pollution in Dojox

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:10 Mar, 2020 | 17:50
Updated At:04 Aug, 2024 | 08:22
Rejected At:
▼CVE Numbering Authority (CNA)
Prototype Pollution in Dojox

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Affected Products
Vendor
Dojo (OpenJS Foundation)dojo
Product
dojox
Versions
Affected
  • < 1.11.10
  • >= 1.12.0, < 1.12.8
  • >= 1.13.0, < 1.13.7
  • >= 1.14.0, < 1.14.6
  • >= 1.15.0, < 1.15.3
  • >= 1.16.0, < 1.16.2
Problem Types
TypeCWE IDDescription
CWECWE-94CWE-94: Improper Control of Generation of Code ('Code Injection')
Type: CWE
CWE ID: CWE-94
Description: CWE-94: Improper Control of Generation of Code ('Code Injection')
Metrics
VersionBase scoreBase severityVector
3.17.7HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
x_refsource_CONFIRM
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
mailing-list
x_refsource_MLIST
Hyperlink: https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
Resource:
x_refsource_MISC
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
Resource:
mailing-list
x_refsource_MLIST
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
x_refsource_CONFIRM
x_transferred
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
x_refsource_MISC
x_transferred
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:10 Mar, 2020 | 18:15
Updated At:11 Mar, 2020 | 21:15

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Secondary3.17.7HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CPE Matches

The Linux Foundation
linuxfoundation
>>dojox>>Versions before 1.11.10(exclusive)
cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*
The Linux Foundation
linuxfoundation
>>dojox>>Versions from 1.12.0(inclusive) to 1.12.8(exclusive)
cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*
The Linux Foundation
linuxfoundation
>>dojox>>Versions from 1.13.0(inclusive) to 1.13.7(exclusive)
cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*
The Linux Foundation
linuxfoundation
>>dojox>>Versions from 1.14.0(inclusive) to 1.14.6(exclusive)
cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*
The Linux Foundation
linuxfoundation
>>dojox>>Versions from 1.15.0(inclusive) to 1.15.3(exclusive)
cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*
The Linux Foundation
linuxfoundation
>>dojox>>Versions from 1.16.0(inclusive) to 1.16.2(exclusive)
cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-74Primarynvd@nist.gov
CWE-94Secondarysecurity-advisories@github.com
CWE ID: CWE-74
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-94
Type: Secondary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9dasecurity-advisories@github.com
Patch
https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cwsecurity-advisories@github.com
Exploit
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.htmlsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
Source: security-advisories@github.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

375Records found

CVE-2020-5258
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-4.02% / 89.33%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 17:50
Updated-04 Aug, 2024 | 08:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype pollution in dojo

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Action-Not Available
Vendor-Dojo (OpenJS Foundation)Debian GNU/LinuxThe Linux FoundationOracle Corporation
Product-communications_application_session_controllerdebian_linuxprimavera_unifiercommunications_pricing_design_centerweblogic_serverdocumakerwebcenter_sitescommunications_policy_managementmysqldojodojo
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2019-16919
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.71% / 74.57%
||
7 Day CHG~0.00%
Published-18 Oct, 2019 | 11:59
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)The Linux Foundation
Product-harborcloud_foundationharbor_container_registryn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-16884
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.41% / 90.15%
||
7 Day CHG+0.04%
Published-25 Sep, 2019 | 00:00
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

Action-Not Available
Vendor-n/aCanonical Ltd.openSUSEDocker, Inc.The Linux FoundationFedora ProjectRed Hat, Inc.
Product-ubuntu_linuxopenshift_container_platformenterprise_linux_server_ausfedoraenterprise_linuxenterprise_linux_eusenterprise_linux_server_tusdockerruncleapn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-11093
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.93% / 56.36%
||
7 Day CHG~0.00%
Published-24 Dec, 2020 | 20:05
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization bypass in Hyperledger Indy

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the ledger. Updating a DID with a nym transaction will be written to the ledger if neither ROLE or VERKEY are being changed, regardless of sender. A malicious DID with no particular role can ask an update for another DID (but cannot modify its verkey or role). This is bad because 1) Any DID can write a nym transaction to the ledger (i.e., any DID can spam the ledger with nym transactions), 2) Any DID can change any other DID's alias, 3) The update transaction modifies the ledger metadata associated with a DID.

Action-Not Available
Vendor-hyperledgerThe Linux Foundation
Product-indy-nodeindy-node
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2011-2964
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-4.96% / 91.12%
||
7 Day CHG~0.00%
Published-29 Jul, 2011 | 20:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file, a different vulnerability than CVE-2011-2697.

Action-Not Available
Vendor-n/aThe Linux Foundation
Product-foomaticn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-24421
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.93% / 56.19%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 00:00
Updated-03 Jul, 2025 | 00:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A type confusion in the nas_message_decode function of Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted NAS packet.

Action-Not Available
Vendor-n/aThe Linux Foundation
Product-magman/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-35926
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-1.89% / 77.01%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 13:29
Updated-05 Dec, 2024 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure sandbox in Backstage Scaffolder plugin

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.

Action-Not Available
Vendor-backstageThe Linux Foundation
Product-backstagebackstage
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-35171
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.71% / 49.17%
||
7 Day CHG~0.00%
Published-06 Apr, 2026 | 17:45
Updated-14 Apr, 2026 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Code Execution via Malicious Logging Configuration in Kedro

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.

Action-Not Available
Vendor-kedro-orgThe Linux Foundation
Product-kedrokedro
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-32613
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.55% / 42.12%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 20:07
Updated-23 Apr, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

Action-Not Available
Vendor-spinnakerThe Linux Foundation
Product-spinnakerspinnaker
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-29186
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.78% / 51.51%
||
7 Day CHG+0.31%
Published-07 Mar, 2026 | 15:03
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
@backstage/plugin-techdocs-node: TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.

Action-Not Available
Vendor-backstageThe Linux FoundationRed Hat, Inc.
Product-backstage_plugin-techdocs-nodebackstageSelf-service automation portal 2Red Hat Developer Hub 1.9Red Hat Developer Hub 1.8
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-791
Incomplete Filtering of Special Elements
CVE-2026-25153
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.54% / 41.51%
||
7 Day CHG+0.18%
Published-30 Jan, 2026 | 21:31
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package.

Action-Not Available
Vendor-backstageThe Linux FoundationRed Hat, Inc.
Product-backstagebackstageSelf-service automation portal 2Red Hat Developer Hub 1.9Red Hat Developer Hub 1.8
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-24747
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.69% / 48.45%
||
7 Day CHG+0.07%
Published-27 Jan, 2026 | 21:13
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files

PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.

Action-Not Available
Vendor-pytorchThe Linux FoundationRed Hat, Inc.
Product-pytorchpytorchRed Hat OpenShift AI 2.25Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-5150
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.56% / 42.69%
||
7 Day CHG~0.00%
Published-25 May, 2025 | 15:00
Updated-03 Jun, 2025 | 12:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
docarray Web API torch_dataset.py __getitem__ prototype pollution

A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-n/aThe Linux Foundation
Product-docarraydocarray
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-45907
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.19% / 64.23%
||
7 Day CHG~0.00%
Published-26 Nov, 2022 | 00:00
Updated-25 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

Action-Not Available
Vendor-n/aThe Linux Foundation
Product-pytorchn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-10753
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-1.63% / 73.26%
||
7 Day CHG~0.00%
Published-26 Jun, 2020 | 00:00
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue.

Action-Not Available
Vendor-The Linux FoundationRed Hat, Inc.Fedora ProjectopenSUSECanonical Ltd.
Product-ceph_storageubuntu_linuxopenstackfedoracephleapRed Hat Ceph Storage
CWE ID-CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2026-9413
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.71%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 01:15
Updated-26 May, 2026 | 13:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Indian Invoicing System category.php cross site scripting

A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.

Action-Not Available
Vendor-SourceCodester
Product-Indian Invoicing System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9415
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.71%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 01:45
Updated-26 May, 2026 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Employee Management System eloginwel.php cross site scripting

A weakness has been identified in code-projects Employee Management System 1.0. This affects an unknown function of the file /eloginwel.php. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

Action-Not Available
Vendor-Source Code & Projects
Product-Employee Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9416
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.71%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 02:00
Updated-29 May, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Employee Management System myprofile.php cross site scripting

A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Employee Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9417
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.71%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 02:15
Updated-26 May, 2026 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Employee Management System myprofileup.php cross site scripting

A vulnerability was detected in code-projects Employee Management System 1.0. Affected is an unknown function of the file /myprofileup.php. Performing a manipulation of the argument ID results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Employee Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9418
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.71%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 02:30
Updated-27 May, 2026 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Employee Management System changepassemp.php cross site scripting

A flaw has been found in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /changepassemp.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Employee Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9419
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.71%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 02:45
Updated-26 May, 2026 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Employee Management System empproject.php cross site scripting

A vulnerability has been found in code-projects Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /empproject.php. The manipulation of the argument ID leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Employee Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9448
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.54%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 10:00
Updated-28 May, 2026 | 13:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Employee Management System applyleave.php cross site scripting

A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown function of the file /applyleave.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-Source Code & Projects
Product-Employee Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9518
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.54%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 00:30
Updated-29 May, 2026 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
hemant6488 CodeIgniter-StudentManagementSystem Students Controller view_students.php addStudent cross site scripting

A vulnerability was identified in hemant6488 CodeIgniter-StudentManagementSystem. The impacted element is the function addStudent of the file view_students.php of the component Students Controller. The manipulation of the argument Name leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-hemant6488
Product-CodeIgniter-StudentManagementSystem
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9520
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.54%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 01:30
Updated-27 May, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
blitz-js blitz Sign-in LoginForm.tsx cross site scripting

A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-blitz-js
Product-blitz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9527
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.54%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 03:45
Updated-27 May, 2026 | 20:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Electronic Judging System judges.php cross site scripting

A vulnerability was determined in itsourcecode Electronic Judging System 1.0. This issue affects some unknown processing of the file /admin/judges.php. This manipulation of the argument fname causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-ITSourceCode
Product-Electronic Judging System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9566
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 19.98%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 17:00
Updated-27 May, 2026 | 13:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
teableio teable Sign-up LoginPage.tsx cross site scripting

A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipulation of the argument redirect leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Upgrading to version release.2026-04-21T08-57-20Z.1513 will fix this issue. The affected component should be upgraded. The vendor confirms: "The default branch of teableio/teable is develop, and the reported login redirect issue has already been fixed there. The login redirect flow now validates the redirect parameter with isValidRedirectPath() before navigation, which blocks javascript:, data:, and cross-origin redirects."

Action-Not Available
Vendor-teableio
Product-teable
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-16254
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-4.57% / 90.46%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 00:00
Updated-05 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

Action-Not Available
Vendor-n/aDebian GNU/LinuxRuby
Product-debian_linuxrubyn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2025-2361
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.49% / 38.34%
||
7 Day CHG~0.00%
Published-17 Mar, 2025 | 04:31
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mercurial SCM Web Interface cross site scripting

A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument cmd leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Mercurial
Product-SCM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-16645
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.6||HIGH
EPSS-8.18% / 94.18%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 18:24
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.

Action-Not Available
Vendor-embedthisn/a
Product-goaheadn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-2354
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 29.20%
||
7 Day CHG~0.00%
Published-17 Mar, 2025 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VAM Virtual Airlines Manager index.php cross site scripting

A vulnerability has been found in VAM Virtual Airlines Manager 2.6.2 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /vam/index.php. The manipulation of the argument registry_id/plane_icao/hub_id leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-VAM
Product-Virtual Airlines Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-7401
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 23.81%
||
7 Day CHG~0.00%
Published-29 Apr, 2026 | 19:15
Updated-29 Apr, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester CET Automated Grading System with AI Predictive Analytics Registration index.php register cross site scripting

A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the component Registration. The manipulation of the argument student_id/full_name/section/username results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.

Action-Not Available
Vendor-SourceCodester
Product-CET Automated Grading System with AI Predictive Analytics
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-7596
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.73%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 21:00
Updated-05 May, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nextlevelbuilder ui-ux-pro-max-skill Slide Generator generate-slide.py data.get cross site scripting

A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py of the component Slide Generator. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

Action-Not Available
Vendor-nextlevelbuilder
Product-ui-ux-pro-max-skill
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9519
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.54%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 00:45
Updated-26 May, 2026 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
stonith404 pingvin-share Sign-in Auto-Redirect signIn.tsx getServerSideProps cross site scripting

A security flaw has been discovered in stonith404 pingvin-share up to 1.13.0. This affects the function getServerSideProps of the file frontend/src/pages/auth/signIn.tsx of the component Sign-in Auto-Redirect. The manipulation of the argument redirect results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-stonith404
Product-pingvin-share
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-8117
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 18.50%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 23:45
Updated-08 May, 2026 | 11:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Pizzafy Ecommerce System index.php cross site scripting

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument page leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

Action-Not Available
Vendor-SourceCodester
Product-Pizzafy Ecommerce System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-16771
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.98% / 57.97%
||
7 Day CHG~0.00%
Published-06 Dec, 2019 | 19:00
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.

Action-Not Available
Vendor-linecorpLINE
Product-armeriaArmeria
CWE ID-CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2026-8195
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 18.50%
||
7 Day CHG~0.00%
Published-09 May, 2026 | 20:00
Updated-11 May, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JeecgBoot SVG File CommonController.java cross site scripting

A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component SVG File Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-n/a
Product-JeecgBoot
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-7324
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.43% / 69.80%
||
7 Day CHG~0.00%
Published-17 Feb, 2020 | 18:24
Updated-06 Aug, 2024 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Webkit-GTK 2.x (any version with HTML5 audio/video support based on GStreamer) allows remote attackers to trigger unexpectedly high sound volume via malicious javascript. NOTE: this WebKit-GTK behavior complies with existing W3C standards and existing practices for GNOME desktop integration.

Action-Not Available
Vendor-webkitgtkn/a
Product-webkitgtkn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2026-6032
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 27.79%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 07:15
Updated-24 Apr, 2026 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Simple Laundry System checkcheckout.php cross site scripting

A vulnerability was found in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /checkcheckout.php. Performing a manipulation of the argument serviceId results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Simple Laundry System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-6034
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.60%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 07:45
Updated-24 Apr, 2026 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Vehicle Showroom Management System ProfitAndLossReport.php cross site scripting

A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Impacted is an unknown function of the file /BranchManagement/ProfitAndLossReport.php. Executing a manipulation of the argument BRANCH_ID can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Vehicle Showroom Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-6035
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.60%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 08:00
Updated-24 Apr, 2026 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Vehicle Showroom Management System ServiceAndSalesReport.php cross site scripting

A vulnerability has been found in code-projects Vehicle Showroom Management System 1.0. The affected element is an unknown function of the file /BranchManagement/ServiceAndSalesReport.php. The manipulation of the argument BRANCH_ID leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Vehicle Showroom Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-25768
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.82% / 52.73%
||
7 Day CHG+0.01%
Published-07 Oct, 2020 | 20:37
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

Action-Not Available
Vendor-n/aContao Association
Product-contaon/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-20
Improper Input Validation
CVE-2026-6150
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.71%
||
7 Day CHG~0.00%
Published-13 Apr, 2026 | 02:00
Updated-24 Apr, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Simple Laundry System checkupdatestatus.php cross site scripting

A vulnerability has been found in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /checkupdatestatus.php. The manipulation of the argument serviceId leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Simple Laundry System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-6159
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 18.50%
||
7 Day CHG~0.00%
Published-13 Apr, 2026 | 04:15
Updated-24 Apr, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Simple ChatBox Endpoint insert.php cross site scripting

A vulnerability has been found in code-projects Simple ChatBox up to 1.0. Affected by this vulnerability is an unknown functionality of the file /chatbox/insert.php of the component Endpoint. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Simple ChatBox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-6218
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 19.63%
||
7 Day CHG~0.00%
Published-13 Apr, 2026 | 20:30
Updated-22 Apr, 2026 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting

A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.

Action-Not Available
Vendor-aandrew-me
Product-ytDownloader
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-6559
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 17.91%
||
7 Day CHG~0.00%
Published-19 Apr, 2026 | 05:15
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wavlink WL-WN579A3 login.cgi sub_401F80 cross site scripting

A weakness has been identified in Wavlink WL-WN579A3 220323. This affects the function sub_401F80 of the file /cgi-bin/login.cgi. This manipulation of the argument Hostname causes cross site scripting. Remote exploitation of the attack is possible. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-WL-WN579A3
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-4578
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-2.43% / 82.26%
||
7 Day CHG~0.00%
Published-29 Dec, 2017 | 22:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.

Action-Not Available
Vendor-n/aOracle Corporation
Product-jdkjren/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2026-7089
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.68%
||
7 Day CHG~0.00%
Published-27 Apr, 2026 | 05:00
Updated-27 Apr, 2026 | 13:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Home Service System Appointment Booking booking.php cross site scripting

A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Home Service System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-7095
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 19.06%
||
7 Day CHG~0.00%
Published-27 Apr, 2026 | 06:30
Updated-27 Apr, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Employee Management System edit.php cross site scripting

A vulnerability was identified in code-projects Employee Management System 1.0. This affects an unknown part of the file 370project/edit.php. The manipulation of the argument ID leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Employee Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-7116
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 19.06%
||
7 Day CHG~0.00%
Published-27 Apr, 2026 | 10:45
Updated-29 Apr, 2026 | 13:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Employee Management System mark.php cross site scripting

A security flaw has been discovered in code-projects Employee Management System 1.0. This issue affects some unknown processing of the file 370project/mark.php. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

Action-Not Available
Vendor-Source Code & Projects
Product-Employee Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-7129
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.71%
||
7 Day CHG~0.00%
Published-27 Apr, 2026 | 13:45
Updated-27 Apr, 2026 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Pharmacy Sales and Inventory System index.php cross site scripting

A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /index.php?page=categories. Performing a manipulation of the argument ID results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.

Action-Not Available
Vendor-SourceCodester
Product-Pharmacy Sales and Inventory System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 7
  • 8
  • Next
Details not found