108 matches found
CVE-2026-58144
Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a...
CVE-2026-5790 Stored Cross-Site Scripting (XSS) vulnerability in Stel Order
Stored Cross-Site Scripting XSS in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When...
CVE-2026-5790 Stored Cross-Site Scripting (XSS) vulnerability in Stel Order
Stored Cross-Site Scripting XSS in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When...
CVE-2026-40038
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, commentbody, articlecontent, description, and message parameters...
CVE-2021-47948
WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...
EUVD-2021-34808
WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...
CVE-2021-47948 WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text
WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...
CVE-2026-41524 Ajax30/BraveCMS-2.0: Stored XSS in Page / Article Content
Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive !! !!. Any JavaScript or HTML injected by an editor-ro...
EUVD-2026-22041
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, commentbody, articlecontent, description, and message parameters...
CVE-2026-40038
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, commentbody, articlecontent, description, and message parameters...
PT-2026-32492
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment body, article content, description, and message parameter...
CVE-2026-34718 Zammad improperly neutralizes of script-related HTML tags in ticket articles
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is...
PT-2026-31342
Name of the Vulnerable Software and Affected Versions Red Hat Quay affected versions not specified Description A flaw exists in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database in a format that, if manipulated, could...
CVE-2026-30563
A Stored Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the updatedetails.php file. The application fails to sanitize the "website" parameter provided in a POST request. This allows authenticated attackers to inject...
CVE-2026-30563
A Stored Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the updatedetails.php file. The application fails to sanitize the "website" parameter provided in a POST request. This allows authenticated attackers to inject...
Devolutions Server 安全漏洞
Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server prior to 2025.3.14 contained a security vulnerability; this vulnerability stemmed from the...
osTicket 1.18.3 Intelligence and Security Analysis Module
This Metasploit auxiliary module is designed for intelligence gathering, security analysis, and vulnerability discovery in osTicket installations. It performs passive and active reconnaissance without direct exploitation and stores results in the Metasploit database for reporting...
CVE-2026-23887
Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting XSS. Users who interact with these specially...
CVE-2026-23887
Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting XSS. Users who interact with these specially...
CVE-2025-66399 SNMP Command Injection leads to RCE in Cacti
Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters including newlines that are...