CVE-2026-31859

Craft is a content management system CMS. The fix for CVE-2025-35939 in craftcms/cms introduced a striptags call in src/web/User.php to sanitize return URLs before they are stored in the session. However, striptags only removes HTML tags angle brackets -- it does not inspect or filter URL schemes...

CVE-2026-29113 Craft has a potential information disclosure vulnerability in preview tokens

Craft is a content management system CMS. Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an...

CVE-2025-24585 WordPress Event post plugin <= 5.9.7 - Stored Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Bastien Ho Event post event-post allows Stored XSS.This issue affects Event post: from n/a through = 5.9.7...

CVE-2025-24585

CVE-2025-24585 is a stored XSS vulnerability in the WordPress plugin “Event post” (N.O.U.S. Open Useful and Simple Event post), affecting versions up to and including 5.9.7. The issue arises from improper neutralization of input during web page generation, allowing stored cross-site scripting. Pu...

PT-2025-5423 · Unknown · N.O.U.S. Open Useful/Simple Event Post

Name of the Vulnerable Software and Affected Versions: N.O.U.S. Open Useful and Simple Event post versions n/a through 5.9.7 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Stored XSS in the Even...

WordPress plugin Event post 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

ManageEngine DeviceExpert 5.9.7 Build 5970 Hash Disclosure

==================================================================================================================================== | Title : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox...

PT-2024-15934 · WordPress · Essential Addons For Elementor

Name of the Vulnerable Software and Affected Versions: The Essential Addons for Elementor plugin for WordPress versions up to, and including, 5.9.7 Description: The issue is related to Stored Cross-Site Scripting, which occurs due to insufficient input sanitization and output escaping on...

PT-2023-26245 · WordPress · Gutenberg +1

Name of the Vulnerable Software and Affected Versions: WordPress core versions 5.9 through 5.9.7 WordPress core versions 6.0 through 6.0.5 WordPress core versions 6.1 through 6.1.3 WordPress core versions 6.2 through 6.2.2 WordPress core versions 6.3 through 6.3.1 Gutenberg plugin versions = 16.8...

WordPress Unspecified Vulnerability (May 2023) - Linux

WordPress is prone to an unspecified vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wordpress:wordpress";...

WordPress Unspecified Vulnerability (May 2023) - Windows

WordPress is prone to an unspecified vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wordpress:wordpress";...

strongSwan 4.x < 5.9.8 DoS Vulnerability

strongSwan is prone to a denial of service DoS vulnerability. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software;...

CVE-2022-22782

The Zoom Client for Meetings for Windows prior to version 5.9.7, Zoom Rooms for Conference Room for Windows prior to version 5.10.0, Zoom Plugins for Microsoft Outlook for Windows prior to version 5.10.3, and Zoom VDI Windows Meeting Clients prior to version 5.9.6; was susceptible to a local...

CVE-2019-17333

The Web server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting XSS attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.8.1.fixS and below, versions 5.9.3, 5.9.4, 5.9.5...

Qt 5.11.3 Released with Important Security Updates

Qt 5.11.3 is released today. As a patch release it does not add any new functionality, but provides important bug fixes, security updates and other improvements. Compared to Qt 5.11.2, the Qt 5.11.3 release provides fixes for over 100 bugs and it contains around 300 changes in total. For details ...

Arq 5.9.7 - Local Privilege Escalation

=begin As well as the other bugs affecting Arq " backupset = "0" 40 hmac = "0" 40 payload = sprintf "%s%s%s%s$%s%s\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" +...

Arq Backup 5.9.7 Local Root Privilege Escalation

As well as the other bugs affecting Arq = 5.9.6 there is also another issue with the suid-root restorer binaries in Arq for Mac. There are three of them and they are used to execute restores of backed up files from the various cloud providers. After reversing the inter-app protocol I discovered...

Haystack Arq for Mac 'setpermissions' function elevation of privilege vulnerability

Haystack Arq for Mac is a Mac-based file backup software from Haystack Software, USA. auto-updater is one of the auto-updater components. An elevation of privilege vulnerability exists in the 'setpermissions' function of auto-updater in versions of Haystack Arq for Mac prior to 5.9.7. A local...

Cloud4Wi Splash Portal Cross-Site Scripting Vulnerability

Cloud4Wi is a suite of customer Wi-Fi service platforms from Cloud4Wi, Inc. in the U.S. Splash Portal is one of the Wi-Fi portals. A cross-site scripting vulnerability exists in Splash Portal in Cloud4Wi versions prior to 5.9.7. A remote attacker can exploit this vulnerability to inject arbitrary...

CVE-2015-4699

Cross-site scripting XSS vulnerability in the Splash Portal in Cloud4Wi before 5.9.7 allows remote attackers to inject arbitrary web script or HTML via the recoveryMessage parameter to the default URI...