EUVD-2024-26874

Malicious code in bioql PyPI...

EUVD-2025-30835

Malicious code in bioql PyPI...

CVE-2025-59434

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...

CVE-2025-59434 Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...

CVE-2025-59434 Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...

CVE-2025-59434

Flowise Cloud prior to August 2025 was vulnerable to a cross-tenant data exposure through the Custom JavaScript Function node, allowing authenticated users on the free tier to access environment variables from other tenants (e.g., OpenAI keys, cloud credentials, and tokens). The issue has been pa...

CVE-2025-59434 Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...

CVE-2025-9992

The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2025-9992

The CVE-2025-9992 entry concerns Ghost Kit – Page Builder Blocks, Motion Effects & Extensions for WordPress. It is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to and including 3.4.3, due to insufficient input sanitization and output escaping. Exploitation ...

PT-2025-38307

Name of the Vulnerable Software and Affected Versions Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress versions through 3.4.3 Description The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is susceptible to Stored Cross-Site...

CVE-2022-4979

Mode C CVE-2022-4979 affects Sitecore XP 7.5–10.2 and Sitecore CMS 7.2–7.2 Update-6, including Managed Cloud Standard deployments. The vulnerability is a cross‑site scripting (XSS) flaw that could allow an authenticated Sitecore Shell user to execute custom JavaScript code. The issue originates f...

CVE-2021-3741

A stored cross-site scripting XSS vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom...

CVE-2020-14063

A stored Cross-Site Scripting XSS vulnerability in the TC Custom JavaScript plugin before 1.2.2 for WordPress allows unauthenticated remote attackers to inject arbitrary JavaScript via the tccj-content parameter. This is displayed in the page footer of every front-end page and executed in the...

CVE-2024-13419

Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions and importThemeOptions functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level...

WordPress Betheme theme <= 27.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom JS vulnerability discovered by stealthcopter in WordPress Theme Betheme versions = 27.6.1...

CVE-2024-5994

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

WordPress plugin WP Go Maps security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

PT-2024-37299 · WordPress · Wp Go Maps

Name of the Vulnerable Software and Affected Versions: WP Go Maps plugin for WordPress versions up to, and including, 9.0.38 Description: The issue allows authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages via the Custom JS option. This...

WordPress Popup Builder plugin <= 4.2.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS vulnerability

AuthenticatedContributor+ Stored Cross-Site Scripting via Custom JS vulnerability discovered by Tim Coen in WordPress Plugin Popup Builder versions = 4.2.7...

CVE-2024-1348

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...