178 matches found
CVE-2025-10692 OpenSupports 4.11.0 — SQL Injection
The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user level ≥ 1 can inject SQL to alter the filter logic, effectively bypassing department scoping...
EUVD-2021-32554
Malicious code in bioql PyPI...
EUVD-2022-4370
Malicious code in bioql PyPI...
EUVD-2021-28345
Malicious code in bioql PyPI...
EUVD-2025-26919
Malicious code in bioql PyPI...
EUVD-2022-40965
Malicious code in bioql PyPI...
EUVD-2024-29103
Malicious code in bioql PyPI...
CVE-2025-58645
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Gravitate Gravitate Automated Tester gravitate-automated-tester allows Stored XSS.This issue affects Gravitate Automated Tester: from n/a through = 1.4.5...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the logoNavbar or logoLogin arguments in the SVG File Handler component of the /admin path. An attacker can inject and execute arbitrary scripts by supplying crafted input to these arguments. Details...
CVE-2025-57347
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution...
IBM Copy Services Manager Cross-Site Scripting Vulnerability
IBM Copy Services Manager is IBM's data replication management software for simplifying and automating data replication operations in enterprise storage environments. A cross-site scripting vulnerability exists in IBM Copy Services Manager 6.3.13, which stems from insufficient filtering and...
esri Portal for ArcGIS Enterprise Sites Cross-Site Scripting Vulnerability (CNVD-2025-21186)
esri Portal for ArcGIS Enterprise Sites is an enterprise-level geographic information sharing platform from ESRI that allows users within an organization to view, edit, and share geographic information through the portal. A cross-site scripting vulnerability exists in esri Portal for ArcGIS...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the PortalUtil.escapeRedirect function. An authenticated attacker can execute arbitrary JavaScript in the context of a user's browser by injecting malicious input into the affected process. Details Cross-sit...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the portletNamespace and namespace of the Dynamic Data Mapping portlet. An attacker can execute arbitrary JavaScript code in the context of the user's browser by injecting malicious input into these...
CVE-2025-9238
CVE-2025-9238 affects the Swatadru Exam-Seating-Arrangement, specifically the Student Login component where the vulnerable function resides in the file /student.php. Manipulating the email argument can lead to a SQL injection, with remote exploitation possible. Multiple sources (NVD, Red Hat, CVE...
Linux Distros Unpatched Vulnerability : CVE-2020-13753
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONENEWUSER and the TIOCSTI ioctl. CLONENEWUSER could...
CVE-2025-42956
SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create...
CVE-2025-53486 WikiCategoryTagCloud: Reflected Cross-Site Scripting (XSS) via linkstyle attribute in parser function
The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the tag:tagcloud parser...
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Overview apache-airflow-providers-snowflake is a Provider package apache-airflow-providers-snowflake for Apache Airflow Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane Special Element Injection in the...
AirKeyboard iOS App 1.0.5 - Remote Input Injection
Exploit Title: AirKeyboard iOS App 1.0.5 - Remote Input Injection Date: 2025-06-13 Exploit Author: Chokri Hammedi Vendor Homepage: https://airkeyboardapp.com Software Link: https://apps.apple.com/us/app/air-keyboard/id6463187929 Version: Version 1.0.5 Tested on: iOS 18.5 with AirKeyboard app '''...