135 matches found
CVE-2026-36341
Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...
CVE-2026-8814
CVE-2026-8814 affects the ExifReader library prior to version 4.39.0. The issue is an improper handling of highly compressed data (Data Amplification) that occurs when decompressing PNG zTXt metadata without a built-in maximum decompressed output size, which can cause a crafted PNG to materialize...
CVE-2026-38569
HireFlow v1.2 is vulnerable to Cross Site Scripting XSS in candidatedetail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add...
CVE-2026-38569
CVE-2026-38569 affects HireFlow v1.2. The vulnerability is a Cross Site Scripting (XSS) flaw in candidate_detail.html that can be triggered via the Resume or Feedback Comment fields when submitting through POST /candidates/add or POST /feedback/add. The underlying issue is an XSS in the candidate...
GHSA-J822-46R5-H4QX Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint
Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...
CVE-2026-36341
Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...
CVE-2026-36341
Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...
CVE-2026-36341
Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...
CVE-2018-25249 MyBB My Arcade Plugin 1.3 Persistent XSS via Comment
MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit...
MyBB My Arcade Plugin 跨站脚本漏洞
The MyBB My Arcade Plugin is a forum download plugin developed by MyBB Corporation. Version 1.3 of the MyBB My Arcade Plugin contains a cross-site scripting vulnerability. This vulnerability arises from improper cleaning of input data in the arcade game score comment field, which may allow...
CVE-2025-57543
Cross Site scripting vulnerability XSS in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts...
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)
Summary The EventStream class in h3 fails to sanitize carriage return \r characters in data and comment fields. Per the SSE specification, \r is a valid line terminator, so browsers interpret injected \r as line breaks. This allows an attacker to inject arbitrary SSE events, spoof event types, an...
GHSA-4HXC-9384-M385 h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)
Summary The EventStream class in h3 fails to sanitize carriage return \r characters in data and comment fields. Per the SSE specification, \r is a valid line terminator, so browsers interpret injected \r as line breaks. This allows an attacker to inject arbitrary SSE events, spoof event types, an...
CRLF Injection
Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to CRLF Injection via unsanitized carriage return characters in the data and comment fields of the EventStream class. An attacker can inject arbitrary server-sent...
CRLF Injection
Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to CRLF Injection via unsanitized carriage return characters in the data and comment fields of the EventStream class. An attacker can inject arbitra...
EUVD-2025-208745
Cross Site scripting vulnerability XSS in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts...
CVE-2025-57543
Cross Site scripting vulnerability XSS in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts...
CVE-2025-57543
Cross Site scripting vulnerability XSS in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts...
CVE-2025-57543
CVE-2025-57543 describes a Cross Site Scripting (XSS) vulnerability in NetBox 4.3.5, affecting the Web UI via the "comment" field on object forms. An attacker can inject arbitrary HTML, which is rendered in the UI for other users, potentially enabling UI redress attacks or context‑specific XSS. T...
PT-2026-25761
Cross Site scripting vulnerability XSS in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts...