CVE-2018-1000062

WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction, 'svg' = 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be exploitable via Crafted SVG...

CVE-2019-19902

An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to...

CVE-2019-17206

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper aka Redis Wrapper before 0.3.0 allows attackers to execute arbitrary scripts...

CVE-2019-18982

bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header...

CVE-2019-10089

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the...

CVE-2018-21055

An issue was discovered on Samsung mobile devices with N7.0 Qualcomm models using MSM8996 chipsets software. A device can be rooted with a custom image to execute arbitrary scripts in the INIT context. The Samsung ID is SVE-2018-11940 September 2018...

CVE-2017-1000462

BookStack version 0.18.4 is vulnerable to stored cross-site scripting, within the page creation page, which can result in disruption of service and execution of javascript code...

CVE-2019-6034

a-blog cms versions prior to Ver.2.10.23 Ver.2.10.x, Ver.2.9.26 Ver.2.9.x, and Ver.2.8.64 Ver.2.8.x allows arbitrary scripts to be executed in the context of the application due to unspecified vectors...

CVE-2019-12180

An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code Java scripting language on the victim machine by inducing it ...

GHSA-6P8W-PC35-MQV8 [clickstorm] SEO (cs_seo) TYPO3 extension Cross-site Scripting (XSS) vulnerability

Cross-site scripting XSS vulnerability in the clickstorm SEO csseo TYPO3 extension allows backend users to execute arbitrary script via the JSON-LD output...

CVE-2025-20267

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the...

CVE-2025-32999

Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary...

CVE-2025-45755

Vulnerable software: Vtiger CRM Open Source Edition v8.3.0. The issue is a Stored Cross-Site Scripting (XSS) vulnerability exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload mapped to the Service Name field; when uploaded, the applica...

CVE-2025-45755

A Stored Cross-Site Scripting XSS vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improper...

CVE-2025-32999

Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary...

CVE-2025-32999

Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary...

CVE-2025-32999

CVE-2025-32999 : The vulnerability affects a-blog cms prior to version 3.1.43 and prior to 3.0.47. It is a cross-site scripting issue in a specific field of the entry editing screen that requires contributor or higher privileges to exploit. If exploited, an arbitrary script may execute in the web...

CVE-2024-51106

CVE-2024-51106 → A cross-site scripting (XSS) vulnerability in PHPGURUKUL Medical Card Generation System v1.0, in the mcgs/admin/aboutus.php component, allows injecting a crafted payload via the pagetitle parameter. Affected: PHPGURUKUL Medical Card Generation System (PHP/MySQL, v1.0). Root cause...

CVE-2024-51106

A cross-site scripting XSS vulnerability in the component mcgs/admin/aboutus.php of PHPGURUKUL Medical Card Generation System using PHP and MySQL v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the pagetitle parameter...

CVE-2025-3527

The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and...