Lucene search
K

696 matches found

Github Security Blog
Github Security Blog
added 2026/04/01 10:7 p.m.8 views

CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Blog Post Content Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Description The application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker...

9.1CVSS6.2AI score0.00317EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/01 10:3 p.m.1 views

GHSA-V897-C6VQ-6CR3 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via System Settings – Company Information Same-Page Attribute Breakout & Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Company Information Configuration Fields with Immediate Same-Page Execution Description The application fails t...

4.7CVSS6.2AI score0.00274EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/31 4:59 a.m.12 views

CVE-2026-30082

Multiple stored cross-site scripting XSS vulnerabilities in the Edit feature of the Software Package List page of IngEstate Server v11.14.0 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the About application, What's news, or Release note parameters...

6.1CVSS6AI score0.00189EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/31 12:0 a.m.9 views

cpp-httplib 环境问题漏洞

cpp-httplib is a C++ library developed by Yhirose, which includes servers and clients for HTTP/HTTPS communication. Versions of cpp-httplib prior to 0.40.0 contained environmental issues. This issue stems from the static file processing mechanism not properly handling the request body, which coul...

6.5CVSS5.8AI score0.00196EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:14 p.m.4 views

CVE-2024-51224

Multiple cross-site scripting XSS vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the vehiclename, modelnumber, regnumber, vehiclesubtype,...

4.8CVSS5.8AI score0.00184EPSS
Exploits1References1
CVE
CVE
added 2026/03/24 11:27 a.m.8 views

CVE-2019-25637

X-NetStat Pro 5.63 contains a local buffer overflow vulnerability that allows a local attacker to execute arbitrary code by overwriting the EIP register via a 264-byte overflow. The attacker can inject shellcode into memory and use an egg hunter technique to locate and execute the payload when th...

8.6CVSS6.5AI score0.00183EPSS
Exploits0References3
CVE
CVE
added 2026/03/24 11:27 a.m.19 views

CVE-2019-25633

CVE-2019-25633 affects AIDA64 Extreme 5.99.4900. A structured exception handling buffer overflow via the email preferences and report wizard interfaces allows a local attacker to execute arbitrary code by supplying crafted input. Specifically, payloads injected into the Display name field and via...

8.6CVSS6.4AI score0.00257EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.9 views

Nesote Inout Article Base CMS SQL注入漏洞

Nesote Inout Article Base CMS is a content management system developed by the Indian company Nesote, designed for building article publishing and content management websites. The Inout Article Base CMS has a SQL injection vulnerability. This vulnerability stems from SQL injection attacks, allowin...

8.8CVSS5.9AI score0.00334EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/23 12:0 a.m.2 views

CVE-2024-51226

A stored cross-site scripting XSS vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Search parameter...

5.8AI score0.00192EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.5 views

oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify

A Stored Cross-Site Scripting XSS vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification such as info.description, they can break out of the JSON context and execute arbitrary JavaScript when a user views the...

8.2CVSS6.1AI score0.00288EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/03/20 1:4 a.m.2 views

CVE-2026-32880 ChurchCRM is vulnerable to Stored XSS through JSON handling in SystemSettings.php

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading ...

6.4CVSS5.8AI score0.0032EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/15 6:34 p.m.26 views

CVE-2017-20219 Serviio PRO 1.8 DOM-based Cross-Site Scripting via mediabrowser

Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to...

6.1CVSS0.00238EPSS
Exploits1References6
GithubExploit
GithubExploit
added 2026/03/15 6:9 p.m.162 views

Exploit for Cross-site Scripting in Invoiceplane

CVE-2026-25594 — Stored XSS via Family Name in InvoicePlane 1...

4.8CVSS6.2AI score0.00214EPSS
Exploits2
Positive Technologies
Positive Technologies
added 2026/03/13 12:0 a.m.8 views

PT-2026-25145

Name of the Vulnerable Software and Affected Versions thingino-firmware versions prior to commit e3f6a41 wpDiscuz versions prior to 7.6.47 Description thingino-firmware contains an unauthenticated operating system command injection issue in the WiFi captive portal CGI script. This allows remote...

8.8CVSS6.6AI score0.00222EPSS
Exploits0References9
Packet Storm
Packet Storm
added 2026/03/11 12:0 a.m.114 views

📄 Easy Grade Pro 4.1 Malformed .EGP File Denial of Service

This Python script generates a malformed .EGP gradebook file designed to trigger a crash in Easy Grade Pro 4.1 by corrupting data at a specific offset within the file...

5.8AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/03/06 12:19 p.m.5 views

CVE-2018-25194

Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. Attackers can send POST requests to the login/checklogin.php endpoint with crafted UNION-based SQL injection...

8.8CVSS6.1AI score0.00311EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/04 5:15 p.m.5 views

CVE-2019-25502 Simple Job Script Cross-Site Scripting via job_type_value Parameter

Simple Job Script contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the jobtypevalue parameter in the jobs endpoint. Attackers can craft requests with SVG payload injection to execute arbitrary JavaScript in victim...

6.1CVSS6AI score0.00251EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/03 12:0 a.m.9 views

PT-2026-22762

An issue was discovered in Nokia Impact before Mobile 23 FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a CSV file. Attackers can populate data fields that ma...

2CVSS6AI score0.00237EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/03 12:0 a.m.3 views

CVE-2023-31044

An issue was discovered in Nokia Impact before Mobile 23FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a CSV file. Attackers can populate data fields that may...

2CVSS6AI score0.00237EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/03/03 12:0 a.m.8 views

Nokia Impact Mobile 安全漏洞

Nokia Impact Mobile is a mobile network device management and automation platform developed by Finnish company Nokia. Previous versions of Nokia Impact Mobile, including 23FP1, contained security vulnerabilities. These vulnerabilities stemmed from the Campaign Name parameter in the Add Campaign...

8.8CVSS5.8AI score0.00237EPSS
Exploits0References3
Rows per page
Query Builder