By weakness (CWE)
CWE-94: related vulnerabilities
CVEs classified under CWE-94. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
24 published vulnerabilities
- CVE-2026-10904HIGH 8.8
Google Chrome versions prior to 149.0.7827.53 contain a flaw in the V8 JavaScript engine that allows attackers to break out of the browser sandbox and run malicious code with full privileges. An attacker can exploit this by tricking a user into visiting a specially crafted website. Once triggered, the vulnerability bypasses Chrome's security boundary—the sandbox that normally isolates web content from the rest of the system—giving an attacker direct access to execute arbitrary code on the victim's machine.
- CVE-2026-10928HIGH 8.8
A script injection vulnerability in Google Chrome's Headless mode allows attackers to execute arbitrary code on a user's system through a malicious HTML page. The flaw requires user interaction—specifically, the victim must open a crafted webpage in an affected Chrome version—but once triggered, an attacker gains the same privileges as the user running the browser, including the ability to read files, modify data, or install malware.
- CVE-2026-1829HIGH 8.8
The Content Visibility for Divi Builder plugin for WordPress contains a critical flaw that allows attackers with basic WordPress user access to run arbitrary code on affected servers. The vulnerability exists in how the plugin processes a specific shortcode parameter without proper validation, creating a direct path to server compromise. Any WordPress installation using this plugin up to version 4.02 is at risk if it has users with Contributor access or higher privileges.
- CVE-2026-41249HIGH 8.2
CoreShop, a Pimcore-based eCommerce platform, contains a critical flaw in its GitHub Actions workflow configuration that allows attackers to execute arbitrary code on build infrastructure. The vulnerability stems from a workflow that accepts pull requests from untrusted sources but then executes scripts using code from those unverified pull requests. An attacker can simply submit a malicious pull request to trigger code execution on CoreShop's CI/CD runners, potentially compromising the build pipeline, stealing credentials, or injecting malicious code into releases.
- CVE-2026-42588HIGH 8.1
Apache ActiveMQ's web console exposes a remote interface (Jolokia) that allows authenticated users to interact with the message broker's management functions. An attacker who has legitimate access credentials can craft a specially formed network connector request that tricks the broker into loading and executing arbitrary code hidden in a Spring XML configuration file. The vulnerability exists because the broker doesn't properly validate the input before processing it, and Spring automatically instantiates code within those XML files before any security checks occur.
- CVE-2026-10175MEDIUM 6.3
A code injection vulnerability exists in Aider-AI Aider version 0.86.3 within the Architect Mode feature. An authenticated user can manipulate the editor_coder.run function in auth.py to inject and execute arbitrary code on the system. The flaw requires valid credentials to exploit but no additional user interaction, making it a direct threat to organizations using this development assistance tool. Public exploit code is already available.
- CVE-2026-44287MEDIUM 6.3
FastGPT, an AI Agent building platform, contains a sandbox escape vulnerability in versions before 4.15.0-beta1. The issue stems from an incomplete regex filter designed to block dynamic imports in a JavaScript sandbox environment. An attacker with valid platform access can craft a specially formatted import statement using block comments to bypass the filter, gaining the ability to execute arbitrary system commands within the sandbox container. This allows an authenticated user to break out of the intended sandbox isolation and run code with the permissions of the sandbox process.
- CVE-2026-10688MEDIUM 5.5
A code injection vulnerability exists in ahujasid blender-mcp, a tool used for integrating Blender with model context protocol systems. An authenticated attacker can inject and execute arbitrary code by manipulating the 'code' parameter passed to the execute_blender_code function in the server. The vulnerability has been publicly disclosed and exploit code is available. The project uses rolling releases, making it difficult to identify fixed versions; however, the maintainers have been notified but have not yet responded with a patch or mitigation guidance.
- CVE-2026-41159MEDIUM 5.3
Mermaid, a popular JavaScript library for creating diagrams from text, contains a CSS injection vulnerability in its configuration options. Attackers can inject malicious CSS through the fontFamily, themeCSS, and altFontFamily settings that breaks out of the intended diagram sandbox and affects the entire web page. This could enable page defacement or extraction of sensitive information through CSS selectors. The vulnerability affects versions before 10.9.6 and 11.15.0, and has been patched in those releases.
- CVE-2026-10153MEDIUM 4.3
A cross-site scripting (XSS) vulnerability has been identified in westboy CicadasCMS. The flaw exists in the Search function and can be exploited by manipulating a specific argument to inject malicious scripts. An attacker can send a crafted request to a vulnerable instance to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session data, credentials, or performing actions on their behalf. Exploitation requires user interaction (such as clicking a malicious link) but does not require authentication. A proof-of-concept has already been published, increasing practical risk.
- CVE-2026-10173MEDIUM 4.3
Orthanc Explorer 2 versions up to 1.12.0 contain a reflected cross-site scripting (XSS) vulnerability in the StudyList component. An attacker can craft a malicious URL with a specially crafted 'remote-source' parameter that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the Orthanc application. This allows theft of session tokens, modification of data, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction—a victim must click a malicious link—but can be exploited remotely without authentication.
- CVE-2026-10289MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in Hotel and Tourism Reservation System version 1.0. An attacker can inject malicious scripts by manipulating parameters in the reservation form—specifically the name, email, people count, or booking number fields in the /ht/tour.php file. When a victim visits a crafted link or page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or defacement. Public exploits are available, increasing active exploitation risk.
- CVE-2026-10301MEDIUM 4.3
A reflected cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0. An attacker can craft a malicious URL containing JavaScript code in the 'page' parameter of index.php. When a user visits this link, the script executes in their browser, potentially allowing theft of session cookies, credential capture, or malware redirection. The vulnerability requires user interaction (clicking a link) but poses a meaningful risk to organizations running this system, especially those handling sensitive fee or financial data.
- CVE-2026-10810MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0 and earlier. The flaw is located in the /navbar.php file, where unsanitized input in the 'page' parameter allows an attacker to inject malicious scripts. An attacker can craft a malicious URL and trick a user into clicking it, causing the injected script to execute in the victim's browser. This could lead to session hijacking, credential theft, or malware distribution. Public exploit code is available, increasing the risk of opportunistic attacks.
- CVE-2026-10228LOW 3.5
A cross-site scripting (XSS) vulnerability exists in the raisulislamg4 student_management_system_by_php project. The flaw resides in the admission_form_check.php file, where user input passed through the Message parameter is not properly sanitized before being reflected in the web response. An authenticated attacker can craft malicious input that, when viewed by another user, executes arbitrary JavaScript in their browser. The vulnerability requires user interaction (clicking a malicious link) and affects only the integrity of data, not confidentiality or availability. Public exploit details are available, though the CVSS 3.5 score reflects the relatively constrained attack scenario requiring authentication and browser-based execution.
- CVE-2026-10234LOW 3.5
Mettle sendportal versions up to 3.0.1 contain a cross-site scripting (XSS) vulnerability in the Campaign Handler component. An authenticated attacker can inject malicious scripts through the content parameter in the /webview/ endpoint, potentially allowing them to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability requires user interaction to be effective and does not grant direct administrative access. Exploit code is publicly available, elevating practical risk despite the low CVSS score.
- CVE-2026-10244LOW 3.5
SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in the medicine name creation function. An authenticated user can inject malicious script code through the medicine_name parameter, which executes in the context of other users' browsers. The vulnerability requires user interaction (clicking a link or visiting a page) to trigger, and an attacker must have valid login credentials to exploit it. Public exploits are now available.
- CVE-2026-10245LOW 3.5
SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in its supplier creation functionality. An authenticated user can inject malicious code through the company name field when creating a supplier record. This code executes in the browsers of other users who view the supplier information, potentially allowing attackers to steal session tokens, redirect users to malicious sites, or perform unauthorized actions on their behalf. Public exploits for this vulnerability are already available.
- CVE-2026-10246LOW 3.5
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated user can inject malicious scripts through the medicine presentation creation function, which are then executed in the browsers of other users who view that data. The attack requires user interaction and does not grant elevated privileges, but can be used to steal session tokens, redirect users, or perform actions on their behalf within the application.
- CVE-2026-10247LOW 3.5
A cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated attacker can inject malicious scripts through the generic_name parameter in the create_generic_name function, which the application will then execute in users' browsers. This could allow the attacker to steal session cookies, hijack user accounts, or manipulate pharmacy data. The vulnerability requires user interaction to trigger and an authenticated account to exploit, limiting its immediate impact, but public exploit code is now available.
- CVE-2026-10567LOW 3.5
A stored cross-site scripting (XSS) vulnerability exists in 1Panel-dev CordysCRM versions up to 1.4.1. An authenticated attacker can inject malicious JavaScript into the Description field of the ModuleFormController, which will execute in the browsers of other users who view the affected module form. The vulnerability requires user interaction (viewing the crafted form) to trigger, and does not grant the attacker direct access to sensitive data or system functions. Upgrading to version 1.7.0 resolves the issue.
- CVE-2026-10112LOW 2.4
CVE-2026-10112 is a stored or reflected cross-site scripting (XSS) vulnerability in the Dashboard Page component of STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker with high privileges can inject malicious scripts through the Name parameter, which are then executed in the browsers of users who view the affected page. The vulnerability requires user interaction and has a low CVSS score of 2.4, but exploitation has already been disclosed publicly.
- CVE-2026-10514LOW 2.4
A cross-site scripting (XSS) vulnerability exists in CordysCRM versions up to 1.6.2. The flaw is located in a request parameter handling component and allows attackers with administrative privileges to inject malicious scripts that execute in users' browsers. While public exploit code is available, the attack requires both high-level credentials and user interaction (such as clicking a malicious link), significantly limiting real-world risk. Upgrading to version 1.7.0 resolves the issue.
- CVE-2026-10529LOW 2.4
A cross-site scripting (XSS) vulnerability has been discovered in westboy CicadasCMS affecting the Task Scheduling Management Module. The flaw exists in the ScheduleJobController component and can be triggered by an authenticated user with elevated privileges through a specially crafted request. While the vulnerability requires administrative or high-privilege access to exploit, the presence of user interaction (rendering) combined with public availability of exploit details elevates attention. The CMS uses a rolling release model, making definitive version tracking difficult, though the affected commit hash has been identified.