15775 matches found
CVE-2026-32757
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-29100
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...
CVE-2026-32757
CVE-2026-32757 (Admidio) : Multiple sources detail an HTMLPurifier bypass in the eCard feature for Admidio
CVE-2026-32757
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-29100 SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...
CVE-2026-29100
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...
CVE-2026-29100 SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...
CVE-2026-29100
Summary: CVE-2026-29100 affects SuiteCRM. The vulnerability is a reflected HTML injection on the login page, enabling an attacker to inject arbitrary HTML content (e.g., phishing content or page defacement). The issue is associated with SuiteCRM version 7.15.0 and is fixed in 7.15.1. What’s affec...
CVE-2026-32040
OpenClaw contains an html injection vulnerability in the HTML session exporter for versions prior to 2026.2.23. The issue arises from unvalidated mimeType values in image content blocks inside data-URL contexts, which can break out of the img src data-URL and enable cross-site scripting when the ...
CVE-2026-32040 OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation
OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType...
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
CVE-2026-27166
CVE-2026-27166 (Discourse) : Vulnerability in the default Codepen iframe handling where insufficient cleanup allowed an attacker to cause a user to change the main page URL. Affected software: Discourse before versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. Root cause: improper filtering/clea...
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
OpenClaw 跨站脚本漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.2.23 had a cross-site scripting vulnerability. This vulnerability stemmed from HTML injection issues, which could allow attackers to execute arbitrary JavaScript code...
SuiteCRM 跨站脚本漏洞
SuiteCRM is a customer relationship management system developed by the SuiteCRM team. Version 7.15.0 of SuiteCRM contains a cross-site scripting vulnerability. This vulnerability stems from a reflection-type HTML injection in the login page, which allows attackers to inject arbitrary HTML content...
CVE-2026-32703
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits wit...
CVE-2026-32703
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits wit...
CVE-2026-32703 OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits wit...