PT-2026-45448

A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such manipulation of the argument sid leads to improper authorization. It is possible to launch the attack...

CVE-2026-10064

A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. This affects the function formSetPortTr of the file /goform/formSetPortTr. Performing a manipulation of the argument specialname results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit...

Follet School Solutions Destiny 安全漏洞

Follet School Solutions Destiny is a school solution provided by Follet Corporation. Versions of Follet School Solutions Destiny prior to 22.0.1 AU1 contained security vulnerabilities. These vulnerabilities stemmed from a cross-site scripting vulnerability in the showSupportExpiredMessage paramet...

PT-2026-43473

A weakness has been identified in UTT HiPER 1200GW up to 2.5.3-170306. Affected is an unknown function of the file /goform/formPptpClientConfig of the component Web Management Interface. This manipulation of the argument PPTP server address/username/password/tunnel name causes stack-based buffer...

CVE-2026-9363 Edimax EW-7438RPn POST Request formEZCHNwlanSetu formEZCHNwlanSetup command injection

A vulnerability was detected in Edimax EW-7438RPn 1.12. This issue affects the function formEZCHNwlanSetup of the file /goform/formEZCHNwlanSetu of the component POST Request Handler. Performing a manipulation of the argument method results in command injection. Remote exploitation of the attack ...

CVE-2026-45622

Vvveb CMS (version prior to 1.0.8.3) is affected by an unauthenticated reflected XSS in the public product return form. The issue arises from inserting the customer_order_id into the error message without HTML escaping, allowing attacker-controlled HTML/JavaScript to execute in the submitting use...

📄 Contact Form by Supsystic 1.7.36 Server-Side Template Injection

Contact Form by Supsystic versions 1.7.36 and below server-side template injection exploit that achieves remote code execution. import requests import argparse import re import urllib.parse def checksstiurl, fieldname: printf" Testing SSTI on url with field fieldname..." Simple arithmetic test...

CVE-2022-23961

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface...

CVE-2022-23961

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface...

CVE-2026-5111 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Hidden Product Field in Repeater

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields, where repeater subfields bypass state...

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

There is an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214: / FORBIDATTR must always win, even if ADDATTR predicate would allow it / if FORBIDATTRlcName return false; The same fix was not...

CVE-2026-4091

The CVE concerns the WordPress OPEN-BRAIN plugin

EUVD-2026-21248

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'weblingadminsaveform' and 'weblingadminsavememberlist' functions...

EUVD-2026-18124

The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generateuserfilepath' function and the 'movetempfiletouploaddir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers ...

CVE-2026-4909

A weakness has been identified in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/updates7.php. This manipulation of the argument sname causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to t...

CVE-2018-25209 OpenBiz Cubi Lite 3.0.8 SQL Injection via username Parameter

OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Attackers can submit POST requests to /bin/controller.php with malicious SQL code in the username field to extract...

PT-2026-28142

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3 Description OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could create a malicious form. When submitted by a victim,...

CVE-2026-4183 D-Link DIR-816 goahead form2WlanBasicSetup.cgi stack-based overflow

A security vulnerability has been detected in D-Link DIR-816 1.10CNB05. Affected is an unknown function of the file /goform/form2WlanBasicSetup.cgi of the component goahead. Such manipulation of the argument pskValue leads to stack-based buffer overflow. The attack can be executed remotely. The...

CVE-2026-32446

Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through = 1.9.9.3...

WordPress My Sticky Bar plugin <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action vulnerability

Unauthenticated SQL Injection via 'stickymenucontactleadform' Action vulnerability discovered by Dimas Maulana in WordPress Plugin My Sticky Bar versions = 2.8.6...