18 matches found
EUVD-2026-42062
Lack of escaping leads to an XSS vulnerability in the generic image output layout...
[20260707] - Core - XSS in the generic image output layout
Lack of escaping leads to an XSS vulnerability in the generic image output layout...
GHSA-R633-FCGP-M532 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
Summary Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. Details T...
EUVD-2023-1786
Malicious code in bioql PyPI...
CVE-2024-7687
The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2025-27109
SolidJS CVE-2025-27109 describes a Cross-Site Scripting (XSS) vulnerability where user input rendered inside illegal inlined JSX fragments could be unescaped. Affected: SolidJS library with problematic JSX fragment handling. Root cause: lack of escaping in JSX fragments that allows user input to ...
CVE-2024-22116 Remote code execution within ping script
An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure...
Microweber 跨站脚本漏洞
Microweber is an online store management system that provides drag and drop functionality from the Microweber community in the United States. The system includes modules for adding products, images, and more. A cross-site scripting vulnerability exists in Microweber versions prior to 2.0, which...
MediaWiki Cross-site Scripting vulnerability
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate from resources/wikibase/templates.js for quotes which can be in a title attribute...
GHSA-FMRF-P77G-VV5C MediaWiki Cross-site Scripting vulnerability
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate from resources/wikibase/templates.js for quotes which can be in a title attribute...
CVE-2023-37302
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate from resources/wikibase/templates.js for quotes which can be in a title attribute...
CVE-2023-37302
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate from resources/wikibase/templates.js for quotes which can be in a title attribute...
Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS
The plugin does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks...
WP STAGING < 2.9.18 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup With the web browser inspector, change the input...
CVE-2022-1829
The Inline Google Maps WordPress plugin through 5.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping...
CVE-2021-25075 Duplicate Page or Post < 1.5.1 - Arbitrary Settings Update to Stored XSS
The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevartduplicatepostparametrssaveindb AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack...
MartDevelopers iResturant 跨站脚本漏洞
MartDevelopers iResturant is an open source lightweight restaurant Erp from MartDevelopers Kenya, designed to integrate social restaurant operations into a single system. A cross-site scripting vulnerability exists in version 1.0 of MartDevelopers iRestaurant, which stems from a lack of filtering...
[20180101] - Core - XSS vulnerability in module chromes
Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system...