GHSA-38CW-85XC-XR9X Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM

Summary An SQL injection vulnerability exists in the @veramo/data-store package that allows any authenticated user to execute arbitrary SQL queries against the database. The vulnerability is caused by insufficient validation of the column parameter in the order array of query requests. Details...

SQL Injection

Overview @veramo/data-store is a Veramo data storage plugin based on TypeORM database drivers Affected versions of this package are vulnerable to SQL Injection via insufficient validation of the column parameter in the order array processed by the decorateQB function. An attacker can execute...

SQL Injection

Overview @veramo/core-types is a Veramo Core Logic & Interfaces. Affected versions of this package are vulnerable to SQL Injection via insufficient validation of the column parameter in the order array processed by the decorateQB function. An attacker can execute arbitrary SQL queries and access...

Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM

Summary An SQL injection vulnerability exists in the @veramo/data-store package that allows any authenticated user to execute arbitrary SQL queries against the database. The vulnerability is caused by insufficient validation of the column parameter in the order array of query requests. Details...

CVE-2021-47763

Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint...

SQL Injection

Django is vulnerable to SQL Injection. The vulnerability is due to improper handling of column aliases in FilteredRelation when expanding user-controlled dictionaries passed to QuerySet.annotate or QuerySet.alias, which allows an attacker to inject crafted SQL on PostgreSQL...

CVE-2023-43951

SSCMS 7.2.2 was discovered to contain a cross-site scripting XSS vulnerability via the Column Management component...

CVE-2023-49485

JFinalCMS v5.0.0 was discovered to contain a cross-site scripting XSS vulnerability in the column management department...

CVE-2022-26255

Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column...

CVE-2025-14109

The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-14109

The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-14057 Multi-column Tag Map <= 17.0.39 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'mctm_css_conditional' Parameter

The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

CVE-2025-14057

CVE-2025-14057 : The WordPress plugin Multi-column Tag Map is affected by a Stored XSS via the parameter mctm_css_conditional in admin settings. Affected versions are up to 17.0.39, and exploitation requires authenticated admin+ privileges. The vulnerability is specific to WordPress multisite dep...

CVE-2025-14109 AH Shortcodes <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'column' Shortcode Attribute

The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-14109 AH Shortcodes <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'column' Shortcode Attribute

The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-14109

CVE-2025-14109 affects AH Shortcodes, a WordPress plugin. It is vulnerable to Stored Cross-Site Scripting via the column shortcode attribute in all versions up to 1.0.2. The vulnerability can be exploited by authenticated attackers with Contributor-level access and above, allowing injection of ar...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-000157)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000157 advisory. An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate, aggregate, and extra methods are subject to SQL...

PT-2026-1616

Name of the Vulnerable Software and Affected Versions Multi-column Tag Map versions prior to 17.0.40 Description The Multi-column Tag Map plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow...

PT-2026-1619

Name of the Vulnerable Software and Affected Versions AH Shortcodes plugin for WordPress versions prior to 1.0.3 Description The AH Shortcodes plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'column' shortcode attribute. Insufficient input sanitization and output...

WordPress plugin Multi-column Tag Map 跨站脚本漏洞

WordPress and WordPress plugin are products of the WordPress Foundation, a blogging platform developed in PHP. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in WordPres...