CVE-2025-11160

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes...

CVE-2025-11160 WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes...

CVE-2025-11160

The CVE CVE-2025-11160 applies to the WPBakery Page Builder (WordPress) and is a stored XSS via the Custom JS module in all versions up to 8.6.1. The vulnerability arises from insufficient input sanitization and output escaping of user-supplied JavaScript, enabling authenticated users with contri...

EUVD-2020-6222

Malware in sbrugna...

EUVD-2024-26874

Malicious code in bioql PyPI...

EUVD-2025-30835

Malicious code in bioql PyPI...

CVE-2025-59434

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...

CVE-2025-59434 Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...

CVE-2025-59434 Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...

CVE-2025-59434

Flowise Cloud prior to August 2025 was vulnerable to a cross-tenant data exposure through the Custom JavaScript Function node, allowing authenticated users on the free tier to access environment variables from other tenants (e.g., OpenAI keys, cloud credentials, and tokens). The issue has been pa...

CVE-2025-59434 Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...

CVE-2025-9992

The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2025-9992

The CVE-2025-9992 entry concerns Ghost Kit – Page Builder Blocks, Motion Effects & Extensions for WordPress. It is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to and including 3.4.3, due to insufficient input sanitization and output escaping. Exploitation ...

PT-2025-38307

Name of the Vulnerable Software and Affected Versions Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress versions through 3.4.3 Description The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is susceptible to Stored Cross-Site...

CVE-2022-4979

Mode C CVE-2022-4979 affects Sitecore XP 7.5–10.2 and Sitecore CMS 7.2–7.2 Update-6, including Managed Cloud Standard deployments. The vulnerability is a cross‑site scripting (XSS) flaw that could allow an authenticated Sitecore Shell user to execute custom JavaScript code. The issue originates f...

CVE-2021-3741

A stored cross-site scripting XSS vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom...

CVE-2020-14063

A stored Cross-Site Scripting XSS vulnerability in the TC Custom JavaScript plugin before 1.2.2 for WordPress allows unauthenticated remote attackers to inject arbitrary JavaScript via the tccj-content parameter. This is displayed in the page footer of every front-end page and executed in the...

CVE-2024-13419

Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions and importThemeOptions functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level...

WordPress Betheme theme <= 27.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom JS vulnerability discovered by stealthcopter in WordPress Theme Betheme versions = 27.6.1...

CVE-2024-5994

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...