CVE-2026-10111 sambitraj STUDENT-MANAGEMENT-SYSTEM Login Page sql injection

A flaw has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. This impacts an unknown function of the component Login Page. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The...

CVE-2026-43876

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail, which substitutes it directly into an HTML email template via strreplace on the message placeholder and...

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the sendSiteEmail process. An attacker can inject arbitrary HTML content into emails sent to subscribers by supplying crafted input to...

CVE-2026-27694

Traccar (org.traccar:traccar) versions 6.11.1–6.12.x are vulnerable to stored HTML injection in email notification templates. User-controlled device, geofence, and driver names are inserted into HTML output without proper escaping, allowing an attacker with low privileges to store crafted HTML th...

📄 GoAnywhere MFT 7.9.1 HTML Injection

GoAnywhere MFT versions prior to 7.10.0 are affected by an HTML injection vulnerability in the email templating functionality. If an attacker is able to influence the content of a template variable, malicious HTML can be embedded into outgoing emails generated by the application. As these message...

CVE-2026-41426 pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates

pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account displ...

CVE-2026-41426 pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates

pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account displ...

CVE-2018-25269

CVE-2018-25269 : ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability allowing HTML injection into emails. Attackers can embed base64 payloads in object/embed tags and craft emails with data URIs that execute scripts when viewed, potentially compromising user sessions and leaking sensit...

CVE-2018-25269 ICEWARP 11.0.0.0 Cross-Site Scripting via Email HTML Injection

ICEWARP 10.3.4 and 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the...

Improper Encoding or Escaping of Output

Overview pretalx is a Conference organisation: CfPs, scheduling, much more Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via unescaped user-controlled placeholders in mail templates. An attacker can inject arbitrary HTML content into outgoing emails b...

BIT-GITLAB-2026-2995 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content...

CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...

RHEL 10 : python3.12 (RHSA-2026:4713)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4713 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

GHSA-4WR4-F2QF-X5WJ Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...

Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other...

CVE-2026-2553

A security flaw has been discovered in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. This affects an unknown part of the file /home.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Name/Email results in sql injection...

UBUNTU-CVE-2026-0595

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test...

CVE-2026-0595 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test...

MiracleLinux 8 : python3-3.6.8-73.el8_10.ML.1 (AXSA:2026-153:02)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-153:02 advisory. cpython: wsgiref.headers.Headers allows header newline injection in Python CVE-2026-0865 cpython: IMAP command injection in user-controlled commands...

Atlassian Jira Service Management Data Center and Server 11.0.x < 11.0.1 (JSDSERVER-16411)

The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16411 advisory. - In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8...