155 matches found
EUVD-2026-39660
HTMLy 3.1.1 contains a Server-Side Request Forgery SSRF vulnerability in the RSS feed import functionality. The function getfeed in system/admin/admin.php passes user-supplied $feedurl directly to filegetcontents without any validation. An authenticated attacker with administrative privileges can...
CVE-2026-57940
HTMLy 3.1.1 contains a Server-Side Request Forgery SSRF vulnerability in the RSS feed import functionality. The function getfeed in system/admin/admin.php passes user-supplied $feedurl directly to filegetcontents without any validation. An authenticated attacker with administrative privileges can...
CVE-2026-57940
CVE-2026-57940 affects HTMLy 3.1.1 and describes an SSRF in the RSS feed import. The vulnerable code path is get_feed() in system/admin/admin.php, which passes user-supplied feed_url directly to file_get_contents() without validation. An authenticated admin can exploit this by supplying a crafted...
CVE-2026-57940
HTMLy 3.1.1 contains a Server-Side Request Forgery SSRF vulnerability in the RSS feed import functionality. The function getfeed in system/admin/admin.php passes user-supplied $feedurl directly to filegetcontents without any validation. An authenticated attacker with administrative privileges can...
CVE-2026-45233
HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences...
CVE-2026-45233 HTMLy CMS 3.1.1 Path Traversal via oldfile Parameter in Autosave
HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences...
CVE-2026-45233
The CVE details a path traversal in HTMLy CMS (up to version 3.1.1) where an authenticated, low-privilege user can relocate arbitrary files via the admin autosave endpoint. The root cause is unsanitized directory traversal sequences passed to file_exists() and rename() in admin.php without canoni...
CVE-2026-38949
Cross-Site Scripting XSS vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code...
CVE-2026-38949
Cross-Site Scripting XSS vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code...
PT-2026-35748
Name of the Vulnerable Software and Affected Versions HTMLy version 3.1.1 Description A Cross-Site Scripting XSS issue exists in the content creation functionality at the '/add/content?type=image' endpoint. The application fails to properly sanitize user input, which allows the injection of...
CVE-2026-38949
Cross-Site Scripting XSS vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code...
CVE-2026-38949
Cross-Site Scripting XSS vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code...
CVE-2026-38949
HTMLy 3.1.1 is affected by an XSS in the content creation flow at /add/content?type=image due to insufficient input sanitization. The CVE records an overall CVSSv3.1 base score of 8.9 (HIGH) with network attack vector, low attack complexity, user interaction required, and CHANGED scope; impacts t...
HTMLy 安全漏洞
HTMLy is an open-source PHP-based blog platform. Version 3.1.1 of HTMLy has a security vulnerability. This vulnerability stems from the content creation function at the /add/content?type=image endpoint, which fails to properly clean user input, potentially allowing for the injection of arbitrary...
CVE-2026-38949
Cross-Site Scripting XSS vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code...
EUVD-2026-26069
Cross-Site Scripting XSS vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code...
HTMLy Cross Site Scripting
A cross site scripting vulnerability exists in HTMLy CMS. The vulnerability allows remote attackers to inject arbitrary web script or HTML. This issue is older research added to the archive...
CVE-2024-34191
htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the deletepost function at admin.php. This vulnerability allows attackers to delete arbitrary files via a crafted request...
EUVD-2019-17739
Malware in sbrugna...
EUVD-2021-23298
Malware in sbrugna...