Lucene search
+L

56 matches found

Github Security Blog
Github Security Blog
added 2026/04/08 7:15 p.m.9 views

CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List

Summary The blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other...

4.8CVSS6.1AI score0.0023EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/08 7:15 p.m.6 views

GHSA-7CM9-V848-CFH2 CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List

Summary The blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other...

4.8CVSS6AI score0.0023EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/04/08 2:30 p.m.4 views

CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

4.8CVSS6AI score0.0023EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/08 2:30 p.m.26 views

CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

4.8CVSS0.0023EPSS
Exploits1References1
CVE
CVE
added 2026/04/08 2:30 p.m.12 views

CVE-2026-39391

CVE-2026-39391 affects CI4MS, a CodeIgniter 4-based CMS skeleton. Before 0.31.4.0, the blacklist (ban) note parameter stored in the database was rendered into an HTML data-note attribute without escaping, enabling a stored XSS when an admin with blacklist privileges views the user management page...

4.8CVSS6AI score0.0023EPSS
Exploits1References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/04 1:57 a.m.4 views

CVE-2025-52475

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability in the admin/userlist.php endpoint. The keywordinactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This...

6.1CVSS5.7AI score0.00187EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/04 1:57 a.m.4 views

CVE-2025-52476

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability due to improper sanitization of the keywordactive parameter in admin/userlist.php. This issue has been patched in version 1.11.30...

6.1CVSS5.7AI score0.00187EPSS
Exploits0References1
NVD
NVD
added 2026/03/02 4:16 p.m.6 views

CVE-2025-52475

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability in the admin/userlist.php endpoint. The keywordinactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This...

6.1CVSS0.00187EPSS
Exploits0References3
NVD
NVD
added 2026/03/02 4:16 p.m.10 views

CVE-2025-52476

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability due to improper sanitization of the keywordactive parameter in admin/userlist.php. This issue has been patched in version 1.11.30...

6.1CVSS0.00187EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/02 3:49 p.m.30 views

CVE-2025-52475 Chamilo: Reflected XSS via keyword_inactive parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability in the admin/userlist.php endpoint. The keywordinactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This...

5.1CVSS0.00187EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/02 3:49 p.m.2 views

CVE-2025-52475

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability in the admin/userlist.php endpoint. The keywordinactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This...

6.1CVSS5.7AI score0.00187EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/03/02 3:49 p.m.7 views

EUVD-2025-208176

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability in the admin/userlist.php endpoint. The keywordinactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This...

5.1CVSS5.7AI score0.00187EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/02 3:49 p.m.4 views

CVE-2025-52475 Chamilo: Reflected XSS via keyword_inactive parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability in the admin/userlist.php endpoint. The keywordinactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This...

5.1CVSS5.7AI score0.00187EPSS
Exploits0References3
CVE
CVE
added 2026/03/02 3:49 p.m.13 views

CVE-2025-52475

CVE-2025-52475 affects Chamilo LMS before 1.11.30. A reflected XSS exists in the admin/user_list.php endpoint where the keyword_inactive parameter is not properly sanitized, allowing an attacker to inject JavaScript via a crafted URL. The issue is patched in version 1.11.30. No exploitation detai...

6.1CVSS5.7AI score0.00187EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/02 3:49 p.m.7 views

CVE-2025-52475 Chamilo: Reflected XSS via keyword_inactive parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability in the admin/userlist.php endpoint. The keywordinactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This...

5.1CVSS5.7AI score0.00187EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/02 3:49 p.m.23 views

CVE-2025-52476 Chamilo: Reflected XSS via keyword_active parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability due to improper sanitization of the keywordactive parameter in admin/userlist.php. This issue has been patched in version 1.11.30...

5.1CVSS0.00187EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/02 3:49 p.m.2 views

CVE-2025-52476 Chamilo: Reflected XSS via keyword_active parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability due to improper sanitization of the keywordactive parameter in admin/userlist.php. This issue has been patched in version 1.11.30...

5.1CVSS5.7AI score0.00187EPSS
Exploits0References3
CVE
CVE
added 2026/03/02 3:49 p.m.18 views

CVE-2025-52476

CVE-2025-52476 affects Chamilo LMS prior to version 1.11.30. The vulnerability is a reflected cross-site scripting (XSS) flaw caused by improper sanitization of the keyword_active parameter in admin/user_list.php. The issue is mitigated by upgrading to version 1.11.30, which patches the vulnerabi...

6.1CVSS5.7AI score0.00187EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/02 3:49 p.m.6 views

EUVD-2025-208177

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability due to improper sanitization of the keywordactive parameter in admin/userlist.php. This issue has been patched in version 1.11.30...

5.1CVSS5.7AI score0.00187EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/02 3:49 p.m.2 views

CVE-2025-52476

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability due to improper sanitization of the keywordactive parameter in admin/userlist.php. This issue has been patched in version 1.11.30...

6.1CVSS5.7AI score0.00187EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder