CVE-2026-3319 Multiple vulnerabilities in Cradle e-commerce

Reflected Cross-Site Scripting XSS in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /collection/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code...

EUVD-2026-29049

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6956

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6956 Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6956 Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6956

ATutor is vulnerable to a Reflected XSS in the /install/install.php endpoint. An attacker can supply a crafted URL that, when opened, causes arbitrary JavaScript execution in the victim’s browser. The issue has been tested only on version 2.2.4; other versions were not tested but might also be vu...

CVE-2026-6909 Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6909

ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6909

ATutor is affected by a Reflected XSS in the /install/upgrade.php endpoint. It allows arbitrary JavaScript execution in a victim’s browser when a crafted URL is opened. Only version 2.2.4 has been tested and confirmed vulnerable; other versions have not been tested but might also be vulnerable. T...

📄 Car Rental Script 4.0 Cross Site Scripting

Car Rental Script version 4.0 suffers from a cross site scripting vulnerability. Titles: Car-Rental-Script4.0-XSS-Reflected Cross-site scripting reflected Author: nu11secur1ty Date: 05/08/2026 Vendor: https://www.phpjabbers.com/ Software: https://www.phpjabbers.com/car-rental-script/ Reference:...

CVE-2025-65417

docuFORM Managed Print Service Client 11.11c is vulnerable to a reflected cross site scripting attack via the login page of the application...

CVE-2025-61309

A reflected cross-site scripted XSS vulnerability in the dfm-menudepartments.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

PT-2026-39590

Name of the Vulnerable Software and Affected Versions ATutor version 2.2.4 Description A Reflected Cross-Site Scripting XSS issue exists in the '/install/upgrade.php' endpoint. This allows an attacker to execute arbitrary JavaScript in a victim's browser by providing a specially crafted URL...

CVE-2025-61313

A reflected cross-site scripted XSS vulnerability in the dfm-menumarkeralerts.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

CVE-2025-61305

A reflected cross-site scripted XSS vulnerability in the dfm-menufirmware.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

PT-2026-39881

Name of the Vulnerable Software and Affected Versions MantisBT affected versions not specified Description An authenticated user can inject arbitrary HTML by updating the font family of their account. This leads to cross-site scripting, where the injected payload is reflected on every page of the...

PT-2026-39610

A reflected cross-site scripted XSS vulnerability in the dfm-menu markeralerts.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

CVE-2025-61313

The CVE-2025-61313 entry concerns a reflected XSS in the dfm-menu_markeralerts.php component of GmbH Mecury Managed Print Services (docuForm) version 11.11c. The vulnerability allows an attacker to execute arbitrary JavaScript in a user’s browser by injecting a crafted payload into an unfiltered ...

CVE-2025-61312

CVE-2025-61312 is a reflected XSS in the acc-menu_pricess.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c. The vulnerability arises from unfiltered input in a variable value, allowing an attacker to inject arbitrary Javascript to be executed in a user’s browser. Connected d...

CVE-2025-61309

Summary: CVE-2025-61309 affects GmbH Mecury/Mercury docuForm 11.11c, specifically the dfm-menu_departments.php component. The vulnerability is a reflected XSS where an attacker can inject a crafted payload into an unfiltered variable value, enabling arbitrary JavaScript to run in a user’s browser...