CVE-2026-26997 ClipBucket v5 has Stored XSS via Collection name

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 59 fixes the issue...

CVE-2026-26997 ClipBucket v5 has Stored XSS via Collection name

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 59 fixes the issue...

CVE-2026-26997

CVE-2026-26997 affects ClipBucket v5 prior to 5.5.3 #59. A normal authenticated user can store a stored XSS payload via the collection name, with the payload being triggered by an administrator. The issue is fixed in version 5.5.3 #59. CVSS metrics in the entry indicate a base score of 5.1 (Mediu...

CVE-2025-64338

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - 156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is...

CVE-2025-64338 ClipBucket's Manage Photos Feature is Vulnerable to Stored XSS via Collection Name

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - 156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is...

EUVD-2023-27723

Malicious code in bioql PyPI...

CVE-2023-23635

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim...

CVE-2021-43266

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting collections via PDF export could lead to code execution via shell metacharacters in a collection name. Additional, in Mahara before 20.10.4, 21.04.3, and 21.10.1, exporting collections via PDF export could cause code execution...

Kirby vulnerable to path traversal of collection names during file system lookup

TL;DR This vulnerability affects all Kirby sites that use the collection helper or $kirby-collection method with a dynamic collection name such as a collection name that depends on request or user data. Sites that only use fixed calls to the collection helper/$kirby-collection method i.e. calls...

SUSE CVE-2015-9105

Multiple cross-site scripting XSS vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the 1 file name or 2 collection name of videos...

CVE-2021-43266

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting collections via PDF export could lead to code execution via shell metacharacters in a collection name. Additional, in Mahara before 20.10.4, 21.04.3, and 21.10.1, exporting collections via PDF export could cause code execution...

GHSA-MH5C-679W-HH4R Denial of Service in mongodb

Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. Recommendation Upgrade to version 3.1.13 or later...

Denial Of Service (DoS)

mongodb is vulnerable to denial of service. Failure to properly catch an exception arising from an invalid collection name when a database does not exist results in an application crash...

PT-2018-6051 · Summit +1 · Summit +1

Name of the Vulnerable Software and Affected Versions: Summit versions 0.1.0 and later Description: The issue allows an attacker to execute arbitrary commands via the collection name when using the PouchDB driver in the module. There is no information about the estimated number of potentially...

WSO2 Data Analytics Server Cross-Site Scripting Vulnerability

WSO2 Data Analytics Server is a data analytics server from WSO2, Inc. that provides real-time analysis of data streams, complex event processing, and machine learning. A cross-site scripting vulnerability exists in the carbon/resources/addcollectionajaxprocessor.jsp file in WSO2 Data Analytics...