GHSA-PQH6-8FXF-JX22 phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering

Summary The search result rendering template search.twig outputs FAQ content fields result.question and result.answerPreview using Twig's | raw filter, which completely disables the template engine's built-in auto-escaping. A user with FAQ editor/contributor privileges can store a payload encoded...

CVE-2026-5324 Brizy – Page Builder <= 2.8.11 - Unauthenticated Stored Cross-Site Scripting via FileUpload Field Value

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when ...

PT-2026-36594

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when ...

EUVD-2026-20845

The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling htmlentitydecode on postcontent during rendering in the setdisplayvariables function View.FAQ.class.php, line...

CVE-2026-4336

The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling htmlentitydecode on postcontent during rendering in the setdisplayvariables function View.FAQ.class.php, line...

GHSA-GHX5-7JJG-Q2J7 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

Summary A sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function entity-encodes input before stripspecifictags can match dangerous HTML tags, and...

AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

Summary A sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function entity-encodes input before stripspecifictags can match dangerous HTML tags, and...

CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

CVE-2026-33683

WWBN AVideo (open source video platform) versions up to and including 26.0 are affected by a sanitization order-of-operations flaw in the user profile “about” field. The vulnerability enables any registered user to inject arbitrary JavaScript that runs when other users visit the attacker’s channe...

CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

CVE-2026-1866

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling htmlentitydecode before wpkses, and then calling htmlentitydecode again on...

BIT-MODSECURITY-2025-27110 Libmodsecurity3 has possible bypass of encoded HTML entities

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurit...

SUSE CVE-2006-1490

PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the htmlentitydecode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue has been referred to a...

Cmseasy某处存在存储型XSS及代码分析（1）

简要描述： 最新版cmseasy存在存储型xss 版本：CmsEasy5.5UTF-820140415 详细说明： 在bbs下的所有POST提交，都会经过bbspublic.php文件里的removexss函数过滤。如下： 可以看到所有POST数据会到dxss函数里 跟进dxss，可以看到数据又来到了removexss里 继续跟进removexss，从图中的1中可以看到removexss首先过滤了一些特殊符号，接着看图中2处，用循环做了一个html实体解码，接着在图中3处用了htmlentitydecode再次进行了一次解码，然后用if判断判断如果还有html编码就exit。...

[SA19383] PHP &quot;html_entity_decode&#40;&#41;&quot; Information Disclosure Vulnerability

TITLE: PHP "htmlentitydecode" Information Disclosure Vulnerability SECUNIA ADVISORY ID: SA19383 VERIFY ADVISORY: http://secunia.com/advisories/19383/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: From remote SOFTWARE: PHP 4.3.x http://secunia.com/product/922/ PHP 4.4.x...