Cross-site Scripting (XSS)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Cross-site Scripting XSS via the CommentsService component that lacks sanitization for stored HTML. An attacker can execute arbitrary scripts in the context of users viewing affected rich text fields by injecting...

CVE-2026-25544

Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data emails, password...

Payload SQL注入漏洞

Payload is a headless CMS and application framework built using TypeScript, Node.js, React, and MongoDB. Versions of Payload prior to 3.73.0 have a SQL injection vulnerability. This vulnerability occurs when querying JSON or richText fields, where user input is directly embedded into SQL without...

SQL Injection

Overview @payloadcms/db-sqlite is a The officially supported SQLite database adapter for Payload Affected versions of this package are vulnerable to SQL Injection when querying JSON or richText fields. An attacker can extract sensitive information and gain unauthorized access to user accounts by...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rich text fields fields. An attacker can execute arbitrary scripts in the context of other users by injecting malicious HTML content. Details Cross-site scripting or XSS is a code vulnerability that occu...

Cross-site Scripting (XSS)

com.liferay.portal, release.portal.bom is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insufficient sanitization of rich text form fields, which allows an attacker to inject a crafted payload that is later rendered in the browser and executes arbitrary web script or HTML...

Cross-site Scripting (XSS)

com.liferay, com.liferay.dynamic.data.mapping.form.field.type is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper validation of user-supplied input in rich text type fields within objects, which allows an attacker to inject and execute arbitrary web scripts or HTML...

Cross-site Scripting (XSS)

com.liferay, com.liferay.dynamic.data.mapping.form.field.type is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of user-supplied input in "Rich Text" type fields within web content structures, document types, or custom assets using the Data Engine module,...

EUVD-2025-33171

Stored cross-site scripting XSS vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web script or HTML via a...

PT-2025-41254

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.2 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q4.5 Description A stored cross-site scripting XSS issue exists in Forms within the software. This allows remote attackers to inject arbitrary web scri...

EUVD-2025-31808

Malicious code in bioql PyPI...

EUVD-2025-29222

Malicious code in bioql PyPI...

CVE-2025-43826

Stored cross-site scripting XSS vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allow remote...

CVE-2025-43800

Cross-site scripting XSS vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an object with a...

Liferay Portal vulnerable to Cross-site Scripting

Multiple cross-site scripting XSS vulnerabilities in Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

CVE-2025-43791

CVE-2025-43791 corresponds to multiple XSS flaws in Liferay Portal 7.3.0–7.4.3.111 and Liferay DXP 2023.Q4.0, 2023.Q3.1–2023.Q3.4, 7.4 GA–update 92, 7.3 GA–update 36.** The root cause is improper validation in the Data Engine’s Rich Text field, allowing remote attackers to inject arbitrary web sc...

PT-2025-37741

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.20 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay DXP version 2023.Q4.0 Liferay Portal versions 7.4 GA through update 92 Description A cross-site scripting XSS issue exists in Objects...

Liferay Portal和Liferay DXP 跨站脚本漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE-based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

PT-2025-37736

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay DXP version 2023.Q4.0 Liferay Portal versions 7.4 GA through update 92 Liferay Portal versions 7.3 GA through update 36 Description The...

Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields

Impact When saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs...