1063 matches found
WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated HTML Content Injection
Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection. id: CVE-2019-17233 info: name: WordPress Ultimate FAQs = 1.8.24 – Unauthenticated HTML Content Injection author: daffainfo severity: medium description: | Functions/EWDUFAQImport.ph...
CVE-2026-57476
CVE-2026-57476 describes a vulnerability in Deloitte AI Assist for Customer where unauthenticated API endpoints allowed an attacker knowing specific parameters to read from or inject content into the retrieval-augmented generation (RAG) corpus. The issue was mitigated on 2026-03-25 by restricting...
CVE-2026-41899
CVE-2026-41899 affects Coolify prior to 4.0.0-beta.474. The POST /api/feedback endpoint is unauthenticated, lacks rate limiting and input validation, allowing arbitrary content to reach a Discord webhook and enabling spam, content injection, and webhook abuse. Remediation: upgrade to Coolify 4.0....
CVE-2026-14691 SourceCodester Multi-Vendor Online Grocery Management System Setting SystemSettings.php update_settings_info code injection
A security vulnerability has been detected in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This impacts the function updatesettingsinfo of the file classes/SystemSettings.php of the component Setting Handler. Such manipulation of the argument content leads to code injection...
CVE-2026-12472 Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Arbitrary Email Content Injection (Mail Relay / Phishing) via 'emailBody' and 'emailSubject' Parameters
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
Linux Distros Unpatched Vulnerability : CVE-2026-57963
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An attacker who can send HTML chat messages via Matrix or XMPP can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This...
EUVD-2026-40862
An attacker who can send HTML chat messages via Matrix or XMPP can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1...
Mozilla Thunderbird < 140.12.1
The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 140.12.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-64 advisory. - An attacker who can send HTML chat messages via Matrix or XMPP can inject arbitrary styled content,...
EUVD-2025-210355
Unauthenticated Content Injection in Auros Core = 5.3.1 versions...
CVE-2025-64637
Unauthenticated Content Injection in Auros Core = 5.3.1 versions...
CVE-2025-64637
CVE-2025-64637 concerns the WordPress plugin Auros Core (versions
CVE-2025-64637 WordPress Auros Core plugin <= 5.3.1 - Content Injection vulnerability
Unauthenticated Content Injection in Auros Core = 5.3.1 versions...
WordPress Auros Core plugin <= 5.3.1 - Content Injection vulnerability
Content Injection vulnerability discovered by Bonds in WordPress Plugin Auros Core versions = 5.3.1...
PT-2026-52713
Name of the Vulnerable Software and Affected Versions Auros Core versions prior to 5.3.2 Description An unauthenticated content injection flaw allows an attacker to inject arbitrary content into the system without requiring valid credentials. Recommendations Update Auros Core to version 5.3.2 or...
CVE-2026-57533
Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes...
CVE-2026-57535
Content injected to PDF rendering contexts could, in many places, include HTML content including tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server a...
CVE-2026-57534 Stored XSS in pretix-pages
Malicious HTML content could be injected into the content of a page in the pretix-pages plugin...
CVE-2026-57534
Malicious HTML content could be injected into the content of a page in the pretix-pages plugin...
EUVD-2026-39416
Malicious HTML content could be injected into the content of a page in the pretix-pages plugin...
CVE-2026-57534
Summary: CVE-2026-57534 affects the pretix-pages plugin, where malicious HTML content can be injected into a page’s content, causing a stored XSS condition. The root cause is described as unsafe handling of page content within the plugin; exploitation details are not provided beyond the stored-XS...