EUVD-2026-20485

CI4MS has stored XSS in Pages Content Due to Missing htmlpurify Sanitization...

PT-2026-28145

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the RestConfig::request authorization check call that every other data-modifying route in the standard API uses. Th...

CVE-2021-47800

b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpag...

CVE-2025-49583

XWiki (platform) vulnerability CVE-2025-49583 involves a user without script-right creating a document containing an XWiki.Notifications.Code.NotificationEmailRendererClass object. When an admin later edits and saves that document, the email templates in this object are used for notifications. Th...

CVE-2023-31045

A stored Cross-site scripting XSS issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type e.g., page, post, or card as an admin, the stored XSS payload is execute...

CVE-2022-0830

The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put...

CVE-2019-5638

Summary: CVE-2019-5638 relates to Rapid7 Nexpose/InsightVM where an administrator’s security edits (e.g., password changes) do not terminate existing sessions, allowing a previously compromised user to remain logged in. Affected versions (per sources): Nexpose 6.5.50 and prior; InsightVM/Nexpose ...