STEL Order 跨站脚本漏洞

STEL Order is an ERP, CRM, and online billing management platform developed by the Spanish company STEL for small and medium-sized enterprises. Versions of STEL Order prior to 3.25.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient cleaning of the...

PT-2026-39472

Name of the Vulnerable Software and Affected Versions Moodle LMS version 4.0 Description An issue allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Specifically, JavaScript code can be injected via the search field in the...

CVE-2026-39332

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting XSS vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocu...

EUVD-2026-18797

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

CVE-2026-35218 Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

PT-2026-22170

Name of the Vulnerable Software and Affected Versions VideoLAN VLC for Android versions prior to 3.7.0 Description The Remote Access Server feature in VideoLAN VLC for Android has an authentication bypass due to inadequate rate limiting on one-time password OTP verification. The server utilizes a...

CVE-2026-2736

Reflected Cross-site Scripting XSS in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user...

GHSA-6P6H-RQR6-62MV GI-DocGen vulnerable to Reflected XSS via unescaped query strings

A flaw was found in GI-DocGen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

CVE-2025-11687

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

CVE-2025-11687

The CVE-2025-11687 issue affects the gi-docgen library and is confirmed by multiple sources (GHSA advisory, NVD/Red Hat entry, Debian/Amazon Linux advisories). It is a reflected DOM XSS vulnerability where an unescaped q query parameter allows arbitrary JavaScript execution in the page context, e...

PT-2026-3549

Reflected Cross-Site Scripting XSS vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'. This vulnerability can be exploited to steal sensitive user...

CVE-2020-24924

A Persistent Cross-site Scripting vulnerability is found in ElkarBackup v1.3.3, where an attacker can steal the user session cookie using this vulnerability present on Policies action Name Parameter...

CVE-2025-40980

A Stored Cross Site Scripting vulnerability has been found in UltimatePOS by UltimateFosters. This vulnerability is due to the lack of proper validation of user inputs via ‘/products//edit’, affecting to ‘name’ parameter via POST. The vulnerability could allow a remote attacker to send a speciall...

CVE-2025-40992

Stored XSS vulnerability in Creativeitem Sociopro due to lack of proper validation of user inputs via the endpoint '/sociopro/profile/updateprofile', affecting to 'name' parameter via POST. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and...

CVE-2025-40700

Reflected Cross-Site Scripting XSS in IDI Eikon's Governalia. The vulnerability allows an attacker to execute JavaScript code in the victim's browser when a malicious URL with the 'q' parameter in '/search' is sent to them. This vulnerability can be exploited to steal sensitive information such a...

EUVD-2025-197975

Stored Cross-site Scripting XSSvylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus...

CVE-2025-41349

CVE-2025-41349 affects WinPlus v24.11.27 by Informática del Este. A Stored XSS flaw arises from insufficient validation of the descripcion parameter sent via POST to the API endpoint /WinplusPortal/ws/sWinplus.svc/json/savesolpla_post, exploitable by a remote attacker against an authenticated use...

CVE-2025-41107

Stored Cross Site Scripting XSS vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/onlineadmission', wich affects the parameters 'firstname', 'lastname', 'guardianname' and others. This vulnerability could allow a remote user to send ...

CVE-2025-41107 Stored XSS in Smart School

Stored Cross Site Scripting XSS vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/onlineadmission', wich affects the parameters 'firstname', 'lastname', 'guardianname' and others. This vulnerability could allow a remote user to send ...

CVE-2025-63588

An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request e.g., a maliciously crafted POST login. Successful exploitation may lead to theft of...