Lucene search
+L

552 matches found

ATTACKERKB
ATTACKERKB
added 2026/01/26 5:43 p.m.5 views

CVE-2020-36960

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the profile is viewed by other users...

6.4CVSS6AI score0.00195EPSS
Exploits0References3
OSV
OSV
added 2026/01/19 9:16 a.m.4 views

CVE-2026-1146

A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/apiregisterpatient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The...

5.4CVSS3.9AI score0.00176EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/19 8:32 a.m.30 views

CVE-2026-1146 SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_register_patient.php cross site scripting

A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/apiregisterpatient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The...

5.1CVSS0.00176EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/01/19 8:32 a.m.3 views

CVE-2026-1146

A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/apiregisterpatient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The...

5.4CVSS3.6AI score0.00176EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/19 12:0 a.m.11 views

PT-2026-3429

A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api register patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The...

5.1CVSS3.7AI score0.00176EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/01/19 12:0 a.m.9 views

SourceCodester: Patients Waiting Area Queue Management System – Code Injection Vulnerability

The SourceCodester Patients Waiting Area Queue Management System is an open-source system developed by SourceCodester for managing patient waiting queues. Version 1.0 of the SourceCodester Patients Waiting Area Queue Management System contains a code injection vulnerability. This vulnerability...

5.4CVSS5.7AI score0.00176EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/09 12:35 p.m.11 views

CVE-2023-45391

A stored cross-site scripting XSS vulnerability in the Create A New Employee function of Granding UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the First Name parameter...

4.8CVSS5.4AI score0.00351EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/01/02 10:51 p.m.13 views

Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users

Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. Details 1. Go to http://127.0.0.1:8000/ and login or signup 2. Go to http://127.0.0.1:8000/customer/account/profile 3. Now edit the first name and last name to 77 4. Notice it appears as 49 POC -...

8.8CVSS7.2AI score0.00455EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/01/02 10:51 p.m.5 views

GHSA-MQHG-V22X-PQJ8 Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users

Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. Details 1. Go to http://127.0.0.1:8000/ and login or signup 2. Go to http://127.0.0.1:8000/customer/account/profile 3. Now edit the first name and last name to 77 4. Notice it appears as 49 POC -...

8.8CVSS7.1AI score0.00455EPSS
Exploits1References5
CVE
CVE
added 2026/01/02 8:35 p.m.23 views

CVE-2026-21449

CVE-2026-21449 affects Bagisto (pre-2.3.10). SSTI via first/last name supplied by a low-privilege user can lead to remote code execution. Version 2.3.10 includes a fix. Related advisories link to Bagisto security notes (SSTI via name fields; low-privilege access). If exploitable in practice, the ...

8.8CVSS6.8AI score0.00455EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/01/02 8:35 p.m.47 views

CVE-2026-21449 Bagisto has SSTI via first and last name from low-privilege user (not admin)

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue...

8.7CVSS0.00455EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/12/20 8:14 a.m.11 views

CVE-2025-66501

A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...

6.3CVSS5.8AI score0.0015EPSS
Exploits0References1
OSV
OSV
added 2025/12/19 8:15 a.m.5 views

CVE-2025-66501

A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...

5.4CVSS5.7AI score0.0015EPSS
Exploits0References1
NVD
NVD
added 2025/12/19 8:15 a.m.18 views

CVE-2025-66501

A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...

6.3CVSS0.0015EPSS
Exploits0References1
CVE
CVE
added 2025/12/19 7:23 a.m.17 views

CVE-2025-66501

Foxit pdfonline.foxit.com Predefined Text in Foxit eSign is affected by a stored XSS via the Identity field “First Name,” where unsanitized input is rendered into the DOM when predefined text is used or document properties are viewed. The description is consistently reported across CVE entries (N...

6.3CVSS5.4AI score0.0015EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2025/12/19 7:23 a.m.5 views

CVE-2025-66501 Foxit pdfonline.foxit.com Stored Cross-Site Scripting in eSign Predefined Text Feature

A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...

6.3CVSS5.4AI score0.0015EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/12/19 7:23 a.m.34 views

CVE-2025-66501 Foxit pdfonline.foxit.com Stored Cross-Site Scripting in eSign Predefined Text Feature

A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...

6.3CVSS0.0015EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/12/19 12:0 a.m.9 views

PT-2025-52429

A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...

6.3CVSS5.8AI score0.0015EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/12/17 10:44 p.m.2 views

CVE-2023-53913 Rukovoditel 3.3.1 CSV Injection via User Account Export

Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file...

8.8CVSS7.4AI score0.0064EPSS
Exploits1References3
GithubExploit
GithubExploit
added 2025/12/13 1:47 p.m.210 views

Exploit for Cross-site Scripting in Oretnom23 Banking_System

Description 1. CVE-2025-14221 2. Discoverer: Fatma Trabelsi 3...

5.4CVSS5.6AI score0.00217EPSS
Exploits2
Rows per page
Query Builder