37 matches found
CVE-2026-53946
Ghost (Node.js CMS) is affected in versions 6.19.4–6.21.1. During post re-render, Ghost fetches image dimensions by issuing an outbound HTTP request to the URL stored on an image card, without restricting allowed hosts. An authenticated staff user who can create or edit posts could point an image...
CVE-2026-6428
SQL Injection in reports/catalogueout.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary da...
CVE-2026-6428
CVE-2026-6428 describes an SQL injection in Koha’s reports/catalogue_out.pl up to versions 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00. The vulnerability arises from a vulnerable sink that concatenate...
CVE-2026-23758
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in...
CVE-2026-23756
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in ControllerStep.InsertSubmit and EditSubmit before being rendered by ViewStep.RenderViewSteps. An authenticated staff member can inject...
EUVD-2026-23908
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in ControllerStep.InsertSubmit and EditSubmit before being rendered by ViewStep.RenderViewSteps. An authenticated staff member can inject...
EUVD-2026-23910
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in...
CVE-2026-23758
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in...
CVE-2026-23756 GFI HelpDesk < 4.99.9 Stored XSS via Troubleshooter Step Subject
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in ControllerStep.InsertSubmit and EditSubmit before being rendered by ViewStep.RenderViewSteps. An authenticated staff member can inject...
CVE-2026-23756
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in ControllerStep.InsertSubmit and EditSubmit before being rendered by ViewStep.RenderViewSteps. An authenticated staff member can inject...
CVE-2026-23758 GFI HelpDesk < 4.99.9 Stored XSS via editsubject Parameter
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in...
CVE-2026-23758
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in...
CVE-2026-23758 GFI HelpDesk < 4.99.9 Stored XSS via editsubject Parameter
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in...
CVE-2026-23758
GFI HelpDesk prior to 4.99.9 is affected by a stored XSS in the ticket subject via the editsubject POST parameter. The issue arises from insufficient sanitization in Controller_Ticket.EditSubmit(), which bypasses the incomplete SanitizeForXSS() method, permitting an authenticated staff member to ...
PT-2026-33815
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in...
Exploit for Cross-site Scripting in Saleor
CVE-2026-23499: Saleor vulnerable to stored XSS via Unrestrict...
CVE-2026-39340
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories People → Person Properties / Family Properties. The vulnerability was introduced whe...
CVE-2026-33933 Reflected XSS via Unescaped contextName Parameter in Custom Template Editor
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting XSS vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in...
EUVD-2026-16040
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting XSS vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in...
PT-2026-28153
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting XSS vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in...