87 matches found
Pimcore has a CustomReports Share Bypass
Summary CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint. - The listing flow filters reports based on report-sharing rules - The detail flow only checks generic reports or reportsconfig permissions As a result, a low-privileged backe...
GHSA-3234-GXC3-PQ6F Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration
Summary The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reportsconfig permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML...
Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration
Summary The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reportsconfig permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML...
PT-2026-43628
Summary The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reports config permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML...
PT-2026-44159
Summary CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint. - The listing flow filters reports based on report-sharing rules - The detail flow only checks generic reports or reports config permissions As a result, a low-privileged...
CVE-2026-2432
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
EUVD-2026-13637
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-2432
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-2432
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-2432 CM Custom Reports <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-2432
CVE-2026-2432 affects CM Custom Reports – Flexible reporting to track what matters most, a WordPress plugin, with versions up to 1.2.7. The issue is stored cross-site scripting via admin settings/labels, exploitable by authenticated users with administrator-level permissions and above. Affected i...
CVE-2026-2432 CM Custom Reports <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
WordPress CM Custom Reports plugin <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels vulnerability
Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Labels vulnerability discovered by san6051 - PWC in WordPress Plugin CM Custom WordPress Reports and Analytics versions = 1.2.7...
PT-2026-26585
Name of the Vulnerable Software and Affected Versions CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress versions through 1.2.7 Description The plugin is susceptible to Stored Cross-Site Scripting through admin settings due to inadequate input sanitization and...
WordPress plugin CM Custom Reports 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
EUVD-2026-13156
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin library/js/SearchHighlight.js allows an authenticated user with encounter form write access to inject arbitrary...
WordPress CM Custom Reports plugin <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters vulnerability
Reflected Cross-Site Scripting via 'datefrom' and 'dateto' Parameters vulnerability discovered by san6051 - PWC in WordPress Plugin CM Custom WordPress Reports and Analytics versions = 1.2.7...
CVE-2026-2431
The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'datefrom' and 'dateto' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
EUVD-2026-10100
The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'datefrom' and 'dateto' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
CVE-2026-2431
The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'datefrom' and 'dateto' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...