9.8
CVE-2026-22583 - Argument Injection in Salesforce Marketing Cloud Engagement CloudPagesUrl Module
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
9.8
CVE-2026-22582 - Improper Neutralization of Argument Delimiters in a Command Leading to Web Services Protocol Manipu…
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
9.8
CVE-2026-22586 - Hard‑coded Cryptographic Key Allows Web Services Protocol Manipulation in Salesforce Marketing Clou…
Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January …
9.8
CVE-2026-22585 - Risky Cryptographic Algorithm Enables Web Services Protocol Manipulation in Salesforce Marketing Cl…
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagem…
9.3
CVE-2026-24399 - ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution
ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in the browser context. Thi…
2.7
CVE-2026-24140 - MyTube has Mass Assignment via Settings Management
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without…
8.7
CVE-2026-24139 - MyTube Allows Unauthorized Database Export by Guest Users
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export e…
5.3
CVE-2026-24474 - Dioxus Components has JavaScript injection via user-supplied IDs
Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue.
8.7
CVE-2026-24136 - Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL API
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor…
6.5
CVE-2026-24128 - XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to cr…