3615 matches found
ZZcms - Cross-Site Scripting
ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks. id: CVE-2020-20285 info: name: ZZcms -...
WPS Hide Login <= 1.9.15.2 - Login Page Disclosure
The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login page that may...
Mailcow < 2026-03b - Href Link Injection
mailcow 2026-03b reflects raw REQUESTURI into JavaScript and href links on the login page, allowing attackers to inject parameters that break JS logic and enable phishing. id: CVE-2026-40878 info: name: Mailcow 2026-03b - Href Link Injection author: ritikchaddha severity: low description: | mailc...
A5 Custom Login Page - Reflected XSS
A5 Custom Login Page WordPress plugin v2.8.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires a crafted URL or...
Zyxel - Cross-Site Scripting
Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, and ZyWALL 1100 devices contain a reflected cross-site scripting vulnerability on the security firewall login page via the mpidx...
CVE-2025-65417
docuFORM Managed Print Service Client 11.11c is vulnerable to a reflected cross site scripting attack via the login page of the application...
CVE-2025-65415
docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the login page of the application...
CVE-2026-49381
In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible...
CVE-2026-37470
An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components...
CVE-2026-4512
The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptchajs function. This allows administrators on multisite installations who do not have the unfilteredhtml capability to injec...
CVE-2026-42887
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting XSS vulnerability exists in the Login Page due to improper sanitization of the authLoginCustomMessage field of the /api/auth-settings endpoint. An attacker with administrative privileges c...
CVE-2026-0971
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page...
CVE-2026-23818
A vulnerability has been identified in the graphical user interface GUI of HPE Aruba Networking Private 5G Core On-Prem that could allow an attacker to abuse an open redirect vulnerability in the login flow using a crafted URL. Successful exploitation may redirect an authenticated user to an...
CVE-2026-9139
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source...
CVE-2024-33288
Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page...
FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins
Security researchers and the FBI are warning that a wave of FIFA-themed fraud is already hitting World Cup 2026 fans, days before the June 11 kickoff. Recent reports describe thousands of lookalike FIFA domains, banking malware hidden inside pirate streaming apps, and at least one operation that...
WordPress Simple Custom Login Page plugin <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Nguyen Duong in WordPress Plugin Simple Custom Login Page versions = 1.0.3...
CVE-2026-10100
The Simple Custom Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color settings fields Page Background, Form Background, Text Color, Link Color in versions up to and including 1.0.3. This is due to insufficient input sanitization of the color option values th...
CVE-2026-10100
Technical details are not publicly available in the provided documents. No connected documents with concrete technical details were found. Monitor for updates.
CVE-2026-10100 Simple Custom Login Page <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting
The Simple Custom Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color settings fields Page Background, Form Background, Text Color, Link Color in versions up to and including 1.0.3. This is due to insufficient input sanitization of the color option values th...