CVE-2026-47099 is a DOM-based cross-site scripting issue in TeleJSON versions prior to 6.0.0. The problem is in the parse() flow used to recreate object prototypes: a malicious _constructor-name_ value can be passed into new Function() without sanitization, allowing attacker-controlled JavaScript to run when untrusted JSON is processed. The practical risk is highest in browser-facing applications that acc [truncated]
CVE-2026-27148 is a high-severity vulnerability affecting Storybook's dev server, which could allow attackers to hijack WebSocket connections and potentially lead to Remote Code Execution (RCE) or Cross-Site Scripting (XSS) attacks. The vulnerability exists due to the WebSocket functionality in Storybook's dev server not validating the origin of incoming connections. This allows a malicious site to send W [truncated]