GHSA-7CM9-V848-CFH2 CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List

Summary The blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other...

CVE-2026-21632

Joomla! CMS core contains XSS vectors in various article title outputs. Affected versions: 4.0.0–5.4.3 and 6.0.0–6.0.3. The connected document specifies core-XSS in article titles; no exploit specifics or remediation are provided in the excerpt.

EUVD-2025-27429

Malicious code in bioql PyPI...

PT-2025-33528 · WordPress · Surbma | Recent Comments Shortcode

Name of the Vulnerable Software and Affected Versions: Surbma | Recent Comments Shortcode plugin for WordPress versions up to and including 2.0 Description: The Surbma | Recent Comments Shortcode plugin for WordPress is susceptible to Stored Cross-Site Scripting via the plugin's recent-comments...

CVE-2024-6017

The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2023-0058

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-11719

The tarteaucitron-wp WordPress plugin before 0.3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-12282 WordPress连接微博 <= 2.5.6 - Stored XSS via CSRF

The WordPress连接微博 WordPress plugin through 2.5.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-8243

The WordPress/Plugin Upgrade Time Out Plugin WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2020-36731

The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction function...

CVE-2024-13115

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

PT-2024-16376 · WordPress · Fat Rat Collect

Name of the Vulnerable Software and Affected Versions: Fat Rat Collect plugin for WordPress versions up to, and including, 2.7.3 Description: The issue is related to Reflected Cross-Site Scripting due to missing escaping on a URL. This allows unauthenticated attackers to inject arbitrary web...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to missing escaping of messages and parameters. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The...

Joomla! 安全漏洞

Joomla! is a free, open source content management system from Joomla! open source. A security vulnerability exists in Joomla! versions 4.0.0 through 4.4.6 and 5.0.0 through 5.1.2, which stems from a lack of escape mechanism in the email template functionality, resulting in cross-site scripting...

CVE-2024-42489 Pro Macros Remote Code Execution via Viewpdf and similar macros

Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the CKEditor.HTMLConverter page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This...

CVE-2024-5280

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make non-logged in users execute an XSS payload via a CSRF attack...

CVE-2024-3582

The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

Ampache 安全漏洞

Ampache is a web-based audio/video application and file manager. A cross-site scripting vulnerability exists in Ampache 6.2.1 and earlier versions, which stems from the lack of effective filtering and escaping of user-supplied data in /preferences.php?action=adminupdatepreferences, which can be...

SuiteCRM 代码注入漏洞

SuiteCRM is a customer relationship management system from the SuiteCRM team. SuiteCRM suffers from an HTML injection vulnerability that stems from a lack of valid filtering and escaping of user-supplied data in the salesagility/suitecrm tittle, which can be exploited by an attacker to cause HTML...

SUSE CVE-2019-11025

In clearFilter in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string SNMP Options in the View poller cache, leading to XSS...