552 matches found
CVE-2020-36960
Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the profile is viewed by other users...
CVE-2026-1146
A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/apiregisterpatient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The...
CVE-2026-1146 SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_register_patient.php cross site scripting
A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/apiregisterpatient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The...
CVE-2026-1146
A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/apiregisterpatient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The...
PT-2026-3429
A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api register patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The...
SourceCodester: Patients Waiting Area Queue Management System – Code Injection Vulnerability
The SourceCodester Patients Waiting Area Queue Management System is an open-source system developed by SourceCodester for managing patient waiting queues. Version 1.0 of the SourceCodester Patients Waiting Area Queue Management System contains a code injection vulnerability. This vulnerability...
CVE-2023-45391
A stored cross-site scripting XSS vulnerability in the Create A New Employee function of Granding UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the First Name parameter...
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users
Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. Details 1. Go to http://127.0.0.1:8000/ and login or signup 2. Go to http://127.0.0.1:8000/customer/account/profile 3. Now edit the first name and last name to 77 4. Notice it appears as 49 POC -...
GHSA-MQHG-V22X-PQJ8 Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users
Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. Details 1. Go to http://127.0.0.1:8000/ and login or signup 2. Go to http://127.0.0.1:8000/customer/account/profile 3. Now edit the first name and last name to 77 4. Notice it appears as 49 POC -...
CVE-2026-21449
CVE-2026-21449 affects Bagisto (pre-2.3.10). SSTI via first/last name supplied by a low-privilege user can lead to remote code execution. Version 2.3.10 includes a fix. Related advisories link to Bagisto security notes (SSTI via name fields; low-privilege access). If exploitable in practice, the ...
CVE-2026-21449 Bagisto has SSTI via first and last name from low-privilege user (not admin)
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue...
CVE-2025-66501
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...
CVE-2025-66501
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...
CVE-2025-66501
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...
CVE-2025-66501
Foxit pdfonline.foxit.com Predefined Text in Foxit eSign is affected by a stored XSS via the Identity field “First Name,” where unsanitized input is rendered into the DOM when predefined text is used or document properties are viewed. The description is consistently reported across CVE entries (N...
CVE-2025-66501 Foxit pdfonline.foxit.com Stored Cross-Site Scripting in eSign Predefined Text Feature
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...
CVE-2025-66501 Foxit pdfonline.foxit.com Stored Cross-Site Scripting in eSign Predefined Text Feature
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...
PT-2025-52429
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...
CVE-2023-53913 Rukovoditel 3.3.1 CSV Injection via User Account Export
Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file...
Exploit for Cross-site Scripting in Oretnom23 Banking_System
Description 1. CVE-2025-14221 2. Discoverer: Fatma Trabelsi 3...