protobufjs : Schema-derived names can shadow runtime-significant properties

@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

Angular: Template and Attribute Namespace Sanitization Bypass (XSS)

node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows

JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases

@angular/service-worker: Request Credential & Cache Policy Stripping

@angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)

Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes

Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's...

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-...

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underl...

Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback a...

Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions.

Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions.

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that ro...

Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions.

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16.

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxes o...