EUVD-2025-27136

Malicious code in bioql PyPI...

EUVD-2022-1591

Malicious code in bioql PyPI...

MyClub 安全漏洞

MyClub is a club management software for jibux individual developers. A security vulnerability exists in MyClub version 0.5, which stems from insufficient cleanup of query parameter inputs and could lead to an SQL injection attack...

Perplexity AI Web Application 安全漏洞

Perplexity AI Web Application is a big data search engine application utilizing a big language model from Perplexity, Inc. in the United States. A security vulnerability exists in Perplexity AI Web Application that stems from a GET parameter that could lead to the disclosure of sensitive...

CVE-2025-59155 hackmd-mcp server-side request forgery in HTTP transport mode

hackmd-mcp is a Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants. From 1.4.0 to before 1.5.0, hackmd-mcp contains a server-side request forgery SSRF vulnerability when the server is run in HTTP transport mode. Arbitrary hackmdApiUrl values supplied vi...

CVE-2025-52048

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function addtag at frappe/desk/doctype/tag/tag.py is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the dt parameter...

VulnCheck KEV: CVE-2023-24733

PMB v7.4.6 was discovered to contain a reflected cross-site scripting XSS vulnerability via the query parameter at /admin/convert/exportz3950new.php...

CVE-2025-10330

A flaw has been found in cdevroe unmark up to 1.9.3. This vulnerability affects unknown code of the file application/views/layouts/topbar/searchform.php. This manipulation of the argument q causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published...

CVE-2025-40725

CVE-2025-40725: Reflected XSS in Azon Dominator allows an attacker to inject JavaScript via the q parameter in /search (GET). Impact could include stealing session cookies or performing actions on behalf of the user. Mitigation documented in PT-2025-37012: sanitize/encode the q parameter in the /...

CVE-2025-40642

Reflected Cross-Site Scripting XSS vulnerability in WebWork, which allows remote attackers to execute arbitrary code through the 'q' and 'engine' request parameters in /search...

CVE-2025-40642

CVE-2025-40642 is a reflected Cross-Site Scripting (XSS) vulnerability in WebWork exploited via the q and engine parameters in /search. Affected software is WebWork; the vulnerability stems from improper handling of user-supplied input in the search query, enabling remote code execution in the co...

PT-2025-36458

Name of the Vulnerable Software and Affected Versions: WebWork affected versions not specified Description: A Reflected Cross-Site Scripting XSS issue exists in WebWork, potentially enabling remote attackers to execute arbitrary code. The vulnerability is triggered through the q and engine reques...

Duplicate Advisory: Keycloak error_description injection on error pages that can trigger phishing attacks

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-27gc-wj6x-9w55. This link is maintained to preserve external references. Original Description A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the errordescriptio...

CVE-2025-10044 Keycloak: keycloak error_description injection on error pages

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the errordescription query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading...

Code-Projects Human Resource Integrated System 安全漏洞

Human Resource Integrated System is a human resource management system. Human Resource Integrated System suffers from a SQL injection vulnerability that originates from a lack of validation of externally-entered SQL statements in the parameter ID of the file /logquery.php. An attacker can exploit...

CVE-2025-9689

The CVE-2025-9689 entry concerns SourceCodester Advanced School Management System 1.0. The vulnerability is located in an unknown function of the file /index.php/stock/item_select, where manipulation of the q parameter results in SQL injection. It is exploitable remotely and exploits are publicly...

PT-2025-35359

Name of the Vulnerable Software and Affected Versions: SourceCodester Advanced School Management System version 1.0 Description: A SQL injection issue exists in SourceCodester Advanced School Management System 1.0. The vulnerability is located in an unknown function within the /index.php/stock/it...

CVE-2025-40927

CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain conditions. Although some...

CVE-2025-50985

diskover-web v2.3.0 Community Edition is vulnerable to multiple reflected cross-site scripting XSS flaws in its web interface. Unsanitized GET parameters including maxage, maxindex, index, path, q query, and doctype are directly echoed into the HTML response, allowing attackers to inject and...

mblog 安全漏洞

mblog is a blogging system by langhsu individual developer. A security vulnerability exists in mblog 3.5.0 and earlier versions, which stems from a cross-site scripting attack due to incorrect manipulation of the parameter kw in file/search...