cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
An Information Disclosure issue in Verodin Director 126.96.36.199 and earlier reveals usernames and passwords of integrated security technologies via a /integrations.json JSON REST API request.
There is Stored XSS in Verodin Director before 188.8.131.52 via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 184.108.40.206 ia the id parameter.
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 220.127.116.11 allows a remote attacker to execute arbitrary code in the context of a user’s session via the pid parameter.