CVE-2026-9714

The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the showmodule shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmoduleshortcode function, which...

CVE-2026-8844

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

EUVD-2026-32101

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the labbadminajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but doe...

PT-2026-43512

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquote build...

CVE-2026-8827 SQL Injection in extension "Address List" (tt_address)

The AddressRepository::getSqlQuery method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call...

EUVD-2026-29510

The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 2025-58-24 contains a critical command injection vulnerability CWE-78 in its HDFS file operation utilities. The vulnerability arises from the unsafe construction and execution of shell commands via os.system without proper...

CVE-2026-31226

CVE-2026-31226 relates to a critical command-injection in TinyZero’s HDFS file operations utilities. The flaw stems from unsafe shell command construction and execution via os.system(), where user-controlled input (e.g., file paths) is interpolated using f-strings inside the _copy() function. An ...

Open WebUI has stored XSS in Excel file preview

Summary Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheettohtml to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. Details The...

EUVD-2026-27185

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...

CVE-2026-41304 WWBN AVideo vulnerable to RCE caused by clonesite plugin

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via...

GHSA-GJW9-34GF-RP6M Budibase: Command Injection in Bash Automation Step

Location: packages/server/src/automations/steps/bash.ts Description The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

CVE-2026-30564

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the viewpayments.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or...

CVE-2026-30566

CVE-2026-30566 is a reflected Cross-Site Scripting (XSS) vulnerability in SourceCodester Sales and Inventory System 1.0. The flaw occurs in view_customers.php via the limit parameter, where input is not sanitized, allowing an attacker to inject arbitrary web script or HTML through a crafted URL. ...

CVE-2026-30570

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the viewsales.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL...

CVE-2026-4072 WordPress PayPal Donation <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' Shortcode Attribute

The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'amount', 'email'...

CVE-2025-67493

CVE-2025-67493 affects Homarr before version 1.45.3. The issue arises from missing sanitization of inputs in LDAP search queries, enabling a malicious user with account access to escalate privileges and access groups of other users. Affected software is the Homarr dashboard; root cause is input h...

CVE-2025-63533

A cross-site scripting XSS vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and rprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript...

CVE-2025-11764

CVE-2025-11764 affects the WordPress plugin Shortcodes Bootstrap (versions

CVE-2025-12662

The Coon Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'map' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

CVE-2025-11812 Reuse Builder <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Reuse Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'reusebuildersingleposttitle' shortcode in all versions up to, and including, 1.7. This is due to insufficient input sanitization and output escaping on the 'style' attribute. This makes it possible for...