1501 matches found
PT-2026-40818
Name of the Vulnerable Software and Affected Versions CVAT versions 2.5.0 through 2.63.0 Description An attacker with permissions to create or edit an annotation guide on a task can inject malicious JavaScript code. This code executes in the browser of any user who opens the affected guide,...
CVE-2021-47948
WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...
EUVD-2021-34808
WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...
CVE-2021-47948
The CVE-2021-47948 entry concerns WordPress GetPaid Plugin 2.4.6 with an HTML-injection vulnerability. It allows authenticated attackers to inject arbitrary HTML via the Help Text field in payment forms, with the injected HTML stored in the database and executed in the browser when the form is vi...
GHSA-FFQ5-QPVF-XQ7X OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender
Summary The Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if...
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender
Summary The Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if...
CVE-2026-27674
Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, th...
CVE-2026-26291
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser...
CVE-2026-27683
SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...
CVE-2026-0512
Due to a Cross-Site Scripting XSS vulnerability in the SAP Supplier Relationship Management SICF Handler in SRM Catalog, an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow t...
EUVD-2026-22156
SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...
CVE-2026-27674 Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)
Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, th...
CVE-2026-27674 Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)
Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, th...
PT-2026-32554
Name of the Vulnerable Software and Affected Versions SAP NetWeaver Application Server Java Web Dynpro Java affected versions not specified Description A code injection issue in the Web Dynpro Java component allows an unauthenticated attacker to provide crafted input that the application interpre...
PT-2026-32561
SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...
GHSA-9PR4-RF97-79QH Note Mark has Stored XSS via Unrestricted Asset Upload
Summary A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and without...
CVE-2026-6179 Stored Cross Site Scripting in NightWolf Penetration Testing Platform
Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser...
CVE-2026-6179
Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser...
CVE-2026-6179
CVE-2026-6179 concerns a stored cross-site scripting (XSS) vulnerability in NightWolf Penetration Testing Platform. The affected entry states that an attacker can trigger and run malicious script in a user’s browser due to a stored XSS flaw, enabling impact on user-side confidentiality and integr...
Totara LMS 安全漏洞
Totara LMS is an learning management system provided by the Totara company. Versions of Totara LMS prior to v19.1.5 contained security vulnerabilities. These vulnerabilities were caused by HTML injection, which could allow attackers to send malicious HTML code to all users, thereby hijacking...