357 matches found
SUSE-SU-2026:21159-1 Security update for python-gi-docgen
This update for python-gi-docgen fixes the following issues: - CVE-2025-11687: Fixed reflected DOM XSS bsc1251961...
CVE-2026-35035 CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative...
GHSA-CCGF-5RWJ-J3HV TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...
CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Summary Vulnerability: Stored DOM XSS via Blog Post Content Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Description The application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker...
CVE-2026-34569
CI4MS is a CodeIgniter 4–based CMS skeleton. Prior to version 0.31.0.0, it fails to sanitize input when creating/editing blog categories, allowing stored XSS via the category title that is rendered unsafely across public blog/category pages and admin views. The issue is fixed in 0.31.0.0. The CVS...
CVE-2026-34566
CVE-2026-34566 affects CI4MS, a CodeIgniter 4-based CMS skeleton. Prior to version 0.31.0.0, user-controlled input in Page Management is not properly sanitized, allowing attacker-controlled JavaScript to be stored server-side and later rendered without output encoding in admin page lists and publ...
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Manageme...
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Manageme...
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Manageme...
CVE-2026-34562 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several...
CVE-2025-13535
The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. This is due to insufficient input sanitization and output escaping across multiple widgets and features. T...
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Summary Vulnerability: Stored DOM XSS via Methods Management Fields Global Persistent Payload Execution - Stored Cross-Site Scripting via Unsanitized Method Creation and Management Inputs - Automatic Execution Across All Pages Where Method Is Rendered in Navigation Description The application fai...
CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...
CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or...
CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or...
CVE-2026-27599
CI4MS (CodeIgniter 4-based CMS skeleton) is affected by a stored DOM XSS in System Settings – Mail Settings. Prior to version 0.31.0.0, fields such as Mail Server, Mail Port, Email Address, Email Password, Mail Protocol and TLS settings accept attacker-controlled input that is stored server-side ...
GHSA-66M2-V9V9-95C3 ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Summary Vulnerability: Stored DOM XSS via System Settings – Mail Settings Same-Page Attribute Breakout & Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Mail Settings Configuration Fields Description The application fails to properly sanitize user-controlled input withi...
CVE-2026-33506 DOM-Based XSS in Ory Polis Login Page
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting XSS vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter callbackUrl,...
CVE-2026-32277
Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting XSS issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch...
CVE-2026-33061
Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescap...