USN-7960-1 ruby-rack vulnerabilities

It was discovered that Rack incorrectly handled certain query parameters. An attacker could possibly use this issue to cause a limited denial of service. This issue was only addressed in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. CVE-2025-59830 It was discovered that Rack did not properly handle...

USN-7960-1: Rack vulnerabilities

It was discovered that Rack incorrectly handled certain query parameters. An attacker could possibly use this issue to cause a limited denial of service. This issue was only addressed in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. CVE-2025-59830 It was discovered that Rack did not properly handle...

ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler

Impact Vulnerability Type: CRLF Injection via ConfigParser An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. Affected Users: Users...

TinyWeb Server 操作系统命令注入漏洞

TinyWeb Server is a web server by Maxim Masiutin, an individual developer. An operating system command injection vulnerability exists in versions of TinyWeb Server prior to 1.98, which stems from passing commands via CGI ISINDEX style query parameters, which could lead to an OS command injection...

CVE-2026-22777

ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or...

CVE-2026-22777 ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler

ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or...

PT-2026-2261

Name of the Vulnerable Software and Affected Versions ComfyUI-Manager versions prior to 3.39.2 ComfyUI-Manager versions prior to 4.0.5 Description ComfyUI-Manager, an extension for ComfyUI, is susceptible to arbitrary configuration injection. An attacker can inject special characters into HTTP...

CVE-2022-0201

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue...

Improper Access Control

@strapi/core is vulnerable to improper access control. The vulnerability is due to improper sanitization of query parameters in the document service lookup operator, which allows an attacker to craft malicious queries to access private fields such as admin passwords and reset tokens...

VulnCheck KEV: CVE-2021-34427

In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote current BIRT viewer dir to inject JSP code into the running instance...

EUVD-2025-202629

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request...

CVE-2025-65892

Reflected Cross-Site Scripting rXSS in krpano before version 1.23.2 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the victim's browser via a crafted URL to the passQueryParameters function with the xml parameter enabled...

CVE-2024-51999

CVE-2024-51999 is rejected and not a valid vulnerability entry.

EUVD-2025-199902

Reflected Cross-Site Scripting rXSS in krpano before version 1.23.2 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the victim's browser via a crafted URL to the passQueryParameters function with the xml parameter enabled...

CVE-2025-65892

Reflected Cross-Site Scripting rXSS in krpano before version 1.23.2 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the victim's browser via a crafted URL to the passQueryParameters function with the xml parameter enabled...

CVE-2023-7326

The Epson Stylus SX510W embedded web management service fails to properly handle consecutive ampersand characters in query parameters when accessing /PRESENTATION/HTML/TOP/INDEX.HTML. A remote attacker can send a malformed request that triggers improper input parsing or memory handling, resulting...

CVE-2023-7326 Epson Stylus SX510W Printer Remote Power Off DoS

The Epson Stylus SX510W embedded web management service fails to properly handle consecutive ampersand characters in query parameters when accessing /PRESENTATION/HTML/TOP/INDEX.HTML. A remote attacker can send a malformed request that triggers improper input parsing or memory handling, resulting...

CVE-2023-7326

The CVE-2023-7326 entry covers Epson Stylus SX510W’s embedded web management service, which mishandles consecutive ampersand characters in query parameters for /PRESENTATION/HTML/TOP/INDEX.HTML, enabling a remote attacker to trigger abnormal input parsing/memory handling and cause the printer pro...

PT-2025-46732

Name of the Vulnerable Software and Affected Versions Epson Stylus SX510W affected versions not specified Description The embedded web management service in the Epson Stylus SX510W does not correctly process consecutive ampersand characters within query parameters when accessing the...

Client-Side Content Injection (XSS)

dotnetnuke.core is vulnerable to Client-Side Content Injection XSS. The vulnerability is due to improper validation of query parameters, which allows an attacker to load and exploit vulnerable themes on client browsers without the site owner’s knowledge...