1452 matches found
PT-2025-50336
Name of the Vulnerable Software and Affected Versions Barracuda Service Center versions prior to 2025.1.1 Description The Barracuda Service Center, within the RMM solution, improperly validates the name of a WSDL service controlled by an attacker. This insecure reflection can lead to remote code...
PT-2025-50272
Name of the Vulnerable Software and Affected Versions MailEnable versions prior to 10.54 Description MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the WindowContext parameter of the ''/Mondo/lang/sys/Forms/MAI/compose.aspx'' endpoint. The...
GHSA-R77H-RPP9-W2XM Spotipy has a XSS vulnerability in its OAuth callback server
Summary XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. Details Vulnerable Code: spotipy/oauth2.py lines 1238-1274 RequestHandler.doGET The...
Use Of Externally-Controlled Input To Select Classes Or Code ('Unsafe Reflection')
Astro is vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection'. The vulnerability is due to Astro reflecting the unvalidated X-Forwarded-Host header in Astro.url, which allows an attacker to supply a malicious header value that can manipulate generated...
📄 vBulletin 6.0.3 replaceAdTemplate Expression Injection
Proof of concept exploit for vBulletin versions 5.0.0 through 6.0.3 for the replaceAdTemplate expression injection vulnerability. ============================================================================================================================================= | Title : vBulletin 5.0.0...
SUSE CVE-2025-60796
phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting XSS vulnerabilities across various components. User-supplied input from $REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.ph...
PT-2025-47690
The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps rma cancel return request' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for...
phpPgAdmin <= 7.13.0 Multiple Vulnerabilities
phpPgAdmin is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:phppgadmin:phppgadmin"; if...
phppgadmin vulnerable to Cross-site Scripting
phpPgAdmin versions 7.13.0 and earlier contain multiple cross-site scripting XSS vulnerabilities across various components. User-supplied inputs from $REQUEST parameters are reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php...
CVE-2025-60796
phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting XSS vulnerabilities across various components. User-supplied input from $REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.ph...
DEBIAN-CVE-2025-60796
phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting XSS vulnerabilities across various components. User-supplied input from $REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.ph...
CVE-2025-60796
phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting XSS vulnerabilities across various components. User-supplied input from $REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.ph...
CVE-2025-60796
CVE-2025-60796 affects phpPgAdmin 7.13.0 and earlier, with multiple reflected XSS vulnerabilities across components (e.g., sequences.php, indexes.php, admin.php, and other files). User input from $_REQUEST is echoed into HTML without proper encoding or sanitization, enabling attackers to execute ...
PT-2025-47581
phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting XSS vulnerabilities across various components. User-supplied input from $ REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php,...
GHSA-J8CQ-7F6P-256X LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
Summary A Reflected Cross-Site Scripting XSS vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited ...
Telerik UI for ASP.NET AJAX Unsafe Reflection
According to its self-reported version number, the version of Telerik UI for ASP.NET AJAX is affected by an unsafe reflection vulnerability resulting in denial of service and advanced attacks scenarios. Note that the scanner has not tested for these issues but has instead relied only on the...
CVE-2025-63419
Cross Site Scripting XSS vulnerability in CrushFTP 11.3.648. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection...
CVE-2025-64711 PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on...
EUVD-2025-131917
Cross Site Scripting XSS vulnerability in CrushFTP 11.3.648. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection...
CVE-2025-63419
Cross Site Scripting XSS vulnerability in CrushFTP 11.3.648. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection...