51 matches found
EUVD-2026-24157
October CMS: Reflected XSS via DataTable Form Widget...
October CMS: Reflected XSS via DataTable Form Widget
A reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. Impact - Reflected XSS only, no stored/persistent component - The backend URL prefix is customizable and must be known or guessed ...
CVE-2026-29179
CVE-2026-29179 affects the October CMS and Tailor editor extensions prior to versions 3.7.16 and 4.1.16. The vulnerability arises from insufficient fine-grained sub-permission checks for asset and blueprint file operations, allowing backend users who have editor access but are explicitly withheld...
CVE-2026-27937
October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...
CVE-2026-27937 October: Reflected XSS via DataTable Form Widget
October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...
CVE-2026-27937
CVE-2026-27937 concerns the October CMS platform. Affected versions prior to 3.7.16 and 4.1.16 have a vulnerability in the backend DataTable widget where a query parameter is rendered without proper output escaping, resulting in a reflected Cross-Site Scripting (XSS) condition. The root cause is ...
PT-2026-34005
Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.16 October versions prior to 4.1.16 Description Fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This allows backend users who...
PT-2026-34004
October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...
October 安全漏洞
October is an open-source content management system CMS and network platform developed by October. Versions prior to October 3.7.16 and 4.1.16 contained security vulnerabilities. These vulnerabilities stemmed from the lack of strict fine-grained sub-permissions checks, which could allow backend...
CVE-2026-6518
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the cmpthemeupdateinstall AJAX action. This is due to the function only checking for the publishpages...
CVE-2026-6518
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the cmpthemeupdateinstall AJAX action. This is due to the function only checking for the publishpages...
CVE-2026-6518 CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the cmpthemeupdateinstall AJAX action. This is due to the function only checking for the publishpages...
WordPress plugin CMP – Coming Soon & Maintenance Plugin by NiteoThemes 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
Apache OpenOffice < 4.1.16 Multiple Vulnerabilities
The version of Apache OpenOffice installed on the remote host is prior to 4.1.16. It is, therefore, affected by multiple vulnerabilities, including: - Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of 'external data sources'. A missing Authorization vulnerability...
CVE-2025-64406
An out-of-bounds Write vulnerability in Apache OpenOffice could allow an attacker to craft a document that would crash the program, or otherwise corrupt other memory areas. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the...
CVE-2025-64407
Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. Such links could also be used to transmit system information, such as environment variable...
CVE-2025-64405
Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, Calc spreadsheet containing DDE links to...
EUVD-2025-124979
Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. Such links could also be used to transmit system information, such as environment variable...
CVE-2025-64407
Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. Such links could also be used to transmit system information, such as environment variable...
CVE-2025-64407
Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. Such links could also be used to transmit system information, such as environment variable...