108 matches found
CVE-2025-40902
CVE-2025-40902 describes a Stored HTML Injection in the Guardian/CMC Users feature prior to 26.1.0. An authenticated admin can create a user whose username contains HTML tags; when a victim deletes a group containing that user, the injected HTML may render in the browser, enabling phishing and po...
CVE-2026-7191
Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Conten...
PT-2026-34298
Name of the Vulnerable Software and Affected Versions Sentence To SEO versions prior to 1.1 Description The Sentence To SEO plugin for WordPress contains a Stored Cross-Site Scripting issue. The problem occurs because the plugin fails to properly sanitize input and escape output for the 'Permanen...
CVE-2026-6439
The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping in the videozenconf function. The 'lang' POST parameter is stored directly via updateoption without any...
PT-2026-25852
Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below Description SiYuan, a personal knowledge management system, has an issue in the globalCopyFiles API. This API reads source files using filepath.Abs without proper workspace boundary checks. It relies on the...
CVE-2026-3242
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...
CVE-2026-2289
The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2025-54161
Technical details about CVE-2025-54161 are not publicly provided in the supplied documents; monitor for updates.
CVE-2026-24325
SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting XSS vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.Th...
CVE-2025-9981 Multiple Stored XSS in QuickCMS
QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality sliders-form. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. T...
EUVD-2008-6727
Malware in sbrugna...
EUVD-2009-2844
Malware in sbrugna...
EUVD-2019-19265
Malware in sbrugna...
EUVD-2018-10853
Malware in sbrugna...
EUVD-2021-22913
Malware in sbrugna...
EUVD-2017-7364
Malware in sbrugna...
EUVD-2022-3727
Malicious code in bioql PyPI...
EUVD-2023-31786
Malicious code in bioql PyPI...
EUVD-2023-31752
Malicious code in bioql PyPI...
EUVD-2023-52481
Malicious code in bioql PyPI...