EUVD-2025-204781

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in getExtensionForURL which operates on URL-decoded paths, and appendNormalized...

CVE-2025-14388

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in getExtensionForURL which operates on URL-decoded paths, and appendNormalized...

EUVD-2023-60243

PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a...

PT-2025-52833

Name of the Vulnerable Software and Affected Versions CMSimple version 5.4 Description The software contains a cross-site scripting issue that allows attackers to bypass input filtering. This is achieved by using HTML to Unicode encoding, enabling the injection of malicious scripts. Attackers can...

CVE-2025-66845

TechStore 1.0 exposes a reflected XSS in the user_name endpoint: the id query parameter is echoed into HTML without output encoding or sanitization, allowing execution of arbitrary JavaScript in a victim’s browser. Root cause is lack of input encoding on reflection. CVE-2025-66845 is documented a...

CMSimple 跨站脚本漏洞

CMSimple is a free content management system. CMSimple suffers from a cross-site scripting vulnerability that stems from the application not effectively filtering or neutralizing HTML Unicode encoding when processing user input. An attacker could use this vulnerability to execute arbitrary...

CVE-2023-53981 PhotoShow 3.0 Remote Code Execution via Exiftran Path Injection

PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a...

CVE-2025-12874

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Quest Coexistence Manager for Notes Free/Busy Connector modules allows HTTP Request Smuggling via the Content-Length-Transfer-Encoding CL.TE attack vector. This could allow an attacker to bypass access...

EUVD-2025-204611

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Quest Coexistence Manager for Notes Free/Busy Connector modules allows HTTP Request Smuggling via the Content-Length-Transfer-Encoding CL.TE attack vector. This could allow an attacker to bypass access...

CVE-2025-12874

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Quest Coexistence Manager for Notes Free/Busy Connector modules allows HTTP Request Smuggling via the Content-Length-Transfer-Encoding CL.TE attack vector. This could allow an attacker to bypass access...

CVE-2025-12874 HTTP Request Smuggling in Quest Coexistence Manager for Notes

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Quest Coexistence Manager for Notes Free/Busy Connector modules allows HTTP Request Smuggling via the Content-Length-Transfer-Encoding CL.TE attack vector. This could allow an attacker to bypass access...

CVE-2025-12874

Quest Coexistence Manager for Notes (Free/Busy Connector modules) contains a HTTP Request/Response Smuggling flaw via Content-Length-Transfer-Encoding (CL.TE). The CVE entry notes the issue affects version 3.8.2045 and may affect other versions; impact includes bypassing access controls, web-cach...

PT-2025-52508

Name of the Vulnerable Software and Affected Versions Quest Coexistence Manager for Notes version 3.8.2045 Description An inconsistent interpretation of HTTP requests 'HTTP Request/Response Smuggling' exists in Quest Coexistence Manager for Notes Free/Busy Connector modules. This allows HTTP...

CVE-2025-68382 Packetbeat Out-of-bounds Read

Out-of-bounds read CWE-125 allows an unauthenticated remote attacker to perform a buffer overflow CAPEC-100 via the NFS protocol dissector, leading to a denial-of-service DoS through a reliable process crash when handling truncated XDR-encoded RPC messages...

EUVD-2025-204361

A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks...

CVE-2022-50682

A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks...

CVE-2022-50682 Kentico Xperience <= 13.0.79 Routing Engine CRLF Injection

A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks...

BIT-GITLAB-2025-8405 Improper Encoding or Escaping of Output in GitLab

GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the HTML style sanitizer module. An attacker can access sensitive information by crafting malicious HTML content that is improperly sanitized when viewed by a user. Remediation Upgrade...

PT-2025-52304

Name of the Vulnerable Software and Affected Versions Kentico Xperience affected versions not specified Description A CRLF injection flaw exists in Kentico Xperience due to improper encoding within the routing engine. This allows attackers to manipulate URL query string redirects. Successful...