EUVD-2025-208166

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sublanguageajax.inc.php via the POST newlanguage parameter. This issue has been patched in version 1.11.30...

CVE-2025-50197 Chamilo: OS Command Injection in /main/admin/sub_language_ajax.inc.php via POST new_language parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sublanguageajax.inc.php via the POST newlanguage parameter. This issue has been patched in version 1.11.30...

Chamilo 操作系统命令注入漏洞

Chamilo is an open-source learning management system developed by Chamilo. Versions of Chamilo prior to 1.11.30 contained a vulnerability related to operating system command injection. This vulnerability stemmed from improper handling of the POST parameter “newlanguage” in the file...

CVE-2026-1434

Omega-PSIR is vulnerable to Reflected XSS via the lang parameter. An attacker can craft a malicious URL that, when opened, causes arbitrary JavaScript to execute in the victim’s browser. This issue was fixed in 4.6.7...

CVE-2026-1434

Omega-PSIR is affected by a Reflected XSS vulnerability in the lang parameter. An attacker can craft a malicious URL that, when opened by a user, causes arbitrary JavaScript to execute in the victim’s browser. The issue has a fixed version: 4.6.7. The CVSS data indicates Network attack vector, lo...

CVE-2026-0745 User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter

The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'downloadlanguage' function. This makes it possible for authenticated attackers, with Administrator-level access and above, ...

WordPress User Language Switch plugin <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter vulnerability

Authenticated Administrator+ Server-Side Request Forgery via 'infolanguage' Parameter vulnerability discovered by 0x34rth in WordPress Plugin User Language Switch versions = 1.6.10...

CVE-2026-2084 D-Link DIR-823X set_language os command injection

A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/setlanguage. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to...

D-Link DIR-823X 操作系统命令注入漏洞

The D-Link DIR-823X is a wireless router produced by D-Link Corporation. The D-Link DIR-823X 250416 version has a vulnerability related to operating system command injection. This vulnerability stems from incorrect handling of the parameter “langSelection” in the file “goform/setlanguage”, which...

CVE-2026-25134 Group-Office Argument Injection in MaintenanceController::actionZipLanguage

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec. This can be combined with uploadi...

Group Office 参数注入漏洞

Group Office is a modular office suite developed by the Dutch company Group Office. Versions of Group Office prior to 6.8.150, 25.0.82, and 26.0.5 contained a parameter injection vulnerability. This vulnerability stemmed from the direct passing of the lang parameter to system commands, which coul...

CVE-2025-12387

A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service DoS by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes...

CVE-2025-12387

A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service DoS by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes...

CVE-2025-12387

CVE-2025-12387 affects the Pix-Link LV-WR21Q router. The vulnerability resides in the router’s language module and can be triggered by sending a specially crafted HTTP POST with a non-existing language parameter, causing the admin panel to fail to serve lang.js and leading to a DoS of the adminis...

CVE-2021-27973

SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages...

CVE-2023-53870

Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially steal user session information...

EUVD-2025-203469

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the language user configuration parameter, it's possible to call install.php and perform various administrative actions as an unprivileged user. These actions include logging in as the...

CVE-2025-58173

FreshRSS (self-hosted RSS aggregator) is affected by a path traversal in the language configuration parameter that existed in versions 1.23.0–1.27.0. An unprivileged user could call install.php and perform administrative actions, including logging in as admin, creating a new admin user, or config...

CVE-2023-53870

Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially steal user session information...

CVE-2023-53870 Jorani 1.0.3 Cross-Site Scripting Vulnerability via Language Parameter

Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially steal user session information...