#js

A prototype pollution vulnerability in MrSwitch hello.js prior to version 1.18.8 allows remote attackers to execute arbitrary code via `hello.utils.extend` function.

An issue was discovered in QPDF version 10.0.4, allows remote attackers to execute arbitrary code via crafted .pdf file to Pl_ASCII85Decoder::write parameter in libqpdf.

Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.

SQL Injection in pear-admin-think version 2.1.2, allows attackers to execute arbitrary code and escalate privileges via crafted GET request to Crud.php.

An issue was discovered in FoldingAtHome Client Advanced Control GUI before commit 9b619ae64443997948a36dda01b420578de1af77, allows remote attackers to execute arbitrary code via crafted payload to function parse_message in file Connection.py.

Cross Site Scripting (XSS) vulnerability in content1 parameter in demo.jsp in kindsoft kindeditor version 4.1.12, allows attackers to execute arbitrary code.

Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

Cross Site Scripting (XSS) vulnerability in margox braft-editor version 2.3.8, allows remote attackers to execute arbitrary code via the embed media feature.

File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.