EUVD-2025-205439

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site...

PT-2025-53588

Name of the Vulnerable Software and Affected Versions IBM Aspera Faspex versions 5.0.0 through 5.0.14.1 Description The software is susceptible to HTML injection. A remote attacker can inject malicious HTML code that, when viewed, executes within the victim’s web browser in the security context o...

IBM Aspera Faspex 安全漏洞

IBM Aspera Faspex is an International Business Machines IBM solution for rapid global person-to-person file delivery and collaboration. A security vulnerability exists in IBM Aspera Faspex 5 5.0.14.1 and prior versions, which originates from a remote attacker who can inject malicious HTML code th...

CVE-2021-47737

CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks...

Eurostar Accused Researchers of Blackmail for Reporting AI Chatbot Flaws

Researchers discovered critical flaws in Eurostar’s AI chatbot including prompt injection, HTML injection, guardrail bypass, and unverified chat IDs - Eurostar later accused them of blackmail...

CVE-2021-47737

CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks...

CVE-2021-47737

CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks...

CVE-2021-47737 CSZ CMS 1.2.7 HTML Injection Vulnerability via Member Dashboard

CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks...

CVE-2021-47737

CSZ CMS 1.2.7 exposes an HTML injection vulnerability in the member messaging system. The issue allows authenticated users to inject HTML hyperlinks into message titles by crafting POST requests to the member dashboard, enabling potential phishing or social engineering. Impact is limited to HTML ...

CSZ CMS 跨站脚本漏洞

CSZ CMS is an open source web application by the individual developer Cskaza Bassist that allows managing all content and settings on a website. A cross-site scripting vulnerability exists in CSZ CMS version 1.2.7, which stems from insufficient validation of message header inputs and could lead t...

PT-2025-52837

Name of the Vulnerable Software and Affected Versions CSZ CMS version 1.2.7 Description An HTML injection issue exists in CSZ CMS that permits authenticated users to inject malicious hyperlinks into message titles. Attackers can create POST requests to the member messaging system using HTML-based...

CVE-2025-67712

There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript...

CVE-2025-7733

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'csupdateapplicationstatuscallback' due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2025-7733 WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'csupdateapplicationstatuscallback' due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2025-66520

A stored cross-site scripting XSS vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud pdfonline.foxit.com. User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a craft...

CVE-2025-67842

The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can be served on any other tenant's documentation site...

EUVD-2025-204604

There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript...

CVE-2025-67712

There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript...

CVE-2025-67712 HTML injection issue in ArcGIS Web App Builder

There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript...

CVE-2025-67712

CVE-2025-67712 is an HTML injection issue affecting Esri ArcGIS Web AppBuilder developer edition before 2.30. The vulnerability could allow a remote, unauthenticated attacker to entice a user to click a link that causes arbitrary HTML to render in the victim’s browser; there is no evidence of Jav...