CVE-2026-29598

CVE-2026-29598 affects DDSN Interactive Acora CMS v10.7.1, with multiple stored XSS vulnerabilities in the submit_add_user.asp endpoint. The First Name and Last Name fields are injectable, allowing an attacker to have scripts/HTML executed in the context of the victim’s browser. The CVE entry spe...

CVE-2026-29597

CVE-2026-29597 affects DDSN Interactive Acora CMS v10.7.1. An editor-privileged user can force-browse and manipulate the file parameter of /Admin/file_manager/file_details.asp to access sensitive configuration files (e.g., cm3.xml), leaking credentials (system administrator, SMTP, database) and o...

CVE-2026-29597

DDSN Interactive cm3 Acora CMS version 10.7.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive configuration files by force browsing the “/Admin/filemanager/filedetails.asp” endpoint and manipulating the “file” parameter. By referencing specific...

CVE-2026-2414

Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2...

CVE-2026-2414

CVE-2026-2414 describes an authorization bypass vulnerability in HYPR Server via a user-controlled key, enabling privilege escalation. Affected versions are HYPR Server 9.5.2 prior to 10.7.2; remediation is to upgrade to 10.7.2 or later. The issue’s concrete impact and exploit specifics are not p...

File Inclusion node-tar Dependency in Jira Software Data Center

This High severity File Inclusion vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVS...

EUVD-2026-1916

A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack...

Arbitrary Code Injection

Overview pywikibot is a Python MediaWiki Bot Framework Affected versions of this package are vulnerable to Arbitrary Code Injection via the readPassword method in pywikibot.login, which used eval on password file entries. Each non-empty, non-comment line from the configured password file was...

CVE-2025-64198

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through 10.7.1...

EUVD-2025-38056

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through 10.7.1...

CVE-2025-64198

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through 10.7.1...

CVE-2025-64198

CVE-2025-64198 affects the WordPress plugin Easy Social Share Buttons (easy-social-share-buttons3). Affected versions are before 10.7.1. The vulnerability is described as cross-site scripting (XSS); the CVE entry notes Reflected XSS, while Red Hat/Wordfence records underscore an XSS issue in vers...

CVE-2025-64198 WordPress Easy Social Share Buttons plugin < 10.7.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through 10.7.1...

WordPress plugin Easy Social Share Buttons 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blogging sites on PHP and MySQL based servers.WordPress plugin is an application plugin... A security...

PT-2025-45334

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through 10.7.1...

EUVD-2022-40800

Malicious code in bioql PyPI...

CVE-2024-4040

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code...

CrushFTP 代码注入漏洞

CrushFTP is a file transfer server. A security vulnerability exists in CrushFTP versions prior to 10.7.1 and 11.1.0, which originates from a vulnerability that could allow a low-privileged remote attacker to read files from a file system other than the VFS sandbox...

CVE-2023-25831

CVE-2023-25831 is a reflected XSS in Esri Portal for ArcGIS. Affects Portal for ArcGIS versions 10.7.1 through 10.9.1 (per PT-2023-20337 and NVD/NVD-derived entries). The vulnerability arises when a crafted link could cause arbitrary JavaScript execution in a victim’s browser. The core issue is a...

PT-2023-20337 · Esri · Esri Portal For Arcgis

Name of the Vulnerable Software and Affected Versions: Esri Portal for ArcGIS versions 10.7.1 through 10.9.1 Description: The issue allows a remote, unauthenticated attacker to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser...