Pagination by BestWebSoft < 1.0.7 - Cross-Site Scripting

The pagination plugin before 1.0.7 for WordPress has multiple XSS issues. id: CVE-2017-18527 info: name: Pagination by BestWebSoft 1.0.7 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The pagination plugin before 1.0.7 for WordPress has multiple XSS issues. impact: |...

CVE-2026-44789

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques...

CVE-2026-44789 n8n: HTTP Request Node Pagination Prototype Pollution to RCE

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques...

CVE-2026-56307

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...

EUVD-2026-38124

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...

CVE-2026-56307 Cap-go - Broken Cursor Pagination in /private/devices Endpoint

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...

CVE-2026-56307

Cap-go before 12.128.12 has a broken cursor pagination vulnerability in the /private/devices endpoint of the Cloudflare/workerd path. Authenticated attackers with app.read_devices can exploit non-advancing cursor filters to trigger infinite pagination loops, causing duplicate pages and making lat...

GHSA-X4QR-QW6H-WVXQ Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

Summary A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service APNS tokens — through a...

PT-2026-49057

Name of the Vulnerable Software and Affected Versions Fleet affected versions not specified Description An issue in the Apple MDM commands listing endpoint allows authenticated users with the Observer role to extract sensitive data from joined database tables, such as host enrollment secrets and...

Deserialization of Untrusted Data

Overview org.springframework.graphql:spring-graphql is a GraphQL Support for Spring Applications Affected versions of this package are vulnerable to Deserialization of Untrusted Data via deserialization of pagination-related data in Spring GraphQL. An attacker can achieve remote code execution by...

CVE-2026-8245

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" . Any authenticated admin or report viewer with access to...

WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

Unauthenticated Reflected XSS via $GET'search' in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability CWE-79 in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim...

GHSA-HGJH-6WJ8-GCGF WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

Unauthenticated Reflected XSS via $GET'search' in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability CWE-79 in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim...

PT-2026-46865

Unauthenticated Reflected XSS via $ GET'search' in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability CWE-79 in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim...

PT-2026-46894

Unauthenticated Reflected XSS via $ GET'search' in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability CWE-79 in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim...

CVE-2025-11993 WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection

The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'importsettings' function. This is due to deserialization of untrusted data supplied via the import...

CVE-2025-11993

CVE-2025-11993 affects the WordPress plugin “WooCommerce Infinite Scroll and Ajax Pagination” (versions up to 1.8). The issue is a PHP Object Injection via the import_settings function’s settings parameter, caused by deserializing untrusted data without capability checks. An authenticated attacke...

SUSE CVE-2026-45076

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This...

PYSEC-0000-CVE-2026-45076

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This...

CVE-2026-45076

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This...