CVE-2026-38526

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file...

PT-2026-32680

Name of the Vulnerable Software and Affected Versions Webkul Krayin CRM versions 2.2.x Description An authenticated arbitrary file upload issue exists in the '/admin/tinymce/upload' endpoint. This allows authenticated attackers to upload a crafted PHP file, which can lead to remote code execution...

CVE-2026-38526

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file...

CVE-2023-45818

TinyMCE is an open source rich text editor. A mutation cross-site scripting mXSS vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before...

CVE-2023-45819

TinyMCE is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully craft...

CVE-2022-23494

tinymce is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which...

CVE-2025-23439

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in willshouse TinyMCE Extended Config tinymce-extended-config allows Reflected XSS.This issue affects TinyMCE Extended Config: from n/a through = 0.1.0...

Cross-site Scripting (XSS)

Bagisto is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insufficient validation of uploaded files in the TinyMCE image upload functionality, which allows an attacker with sufficient privileges to upload a crafted HTML file containing JavaScript that executes in a user’s...

EUVD-2025-202013

Cross-Site Request Forgery CSRF vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery.This issue affects Just TinyMCE Custom Styles: from n/a through = 1.2.1...

CVE-2025-62871

Cross-Site Request Forgery CSRF vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery.This issue affects Just TinyMCE Custom Styles: from n/a through = 1.2.1...

CVE-2025-62871 WordPress Just TinyMCE Custom Styles plugin <= 1.2.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery.This issue affects Just TinyMCE Custom Styles: from n/a through = 1.2.1...

CVE-2025-62871 WordPress Just TinyMCE Custom Styles plugin <= 1.2.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery.This issue affects Just TinyMCE Custom Styles: from n/a through = 1.2.1...

CVE-2025-62871

CVE-2025-62871 : CSRF in the WordPress plugin “Just TinyMCE Custom Styles” (JustCoded) affects versions n/a through 1.2.1. The CVE entry states a Cross-Site Request Forgery vulnerability with a CVSS v3.1 base score of 4.3 (Network, Low attack complexity, User interaction required). Connected sour...

PT-2025-50016

Cross-Site Request Forgery CSRF vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery.This issue affects Just TinyMCE Custom Styles: from n/a through = 1.2.1...

WordPress plugin Just TinyMCE Custom Styles 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site request...

WordPress Just TinyMCE Custom Styles plugin <= 1.2.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Just TinyMCE Custom Styles versions = 1.2.1...

CVE-2025-62415

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the...

EUVD-2025-34814

bagisto has a Cross Site Scripting XSS vulnerability in TinyMCE Image Upload SVG...

bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. Details The underlying probl...

GHSA-FG89-G389-P346 bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. Details The underlying probl...