Lucene search
K

282 matches found

Nuclei
Nuclei
added yesterday62 views

Rukovoditel <= 3.2.1 - Cross Site Scripting

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking...

5.4CVSS6.2AI score0.00906EPSS
Exploits1References4
NVD
NVD
added 2026/07/01 5:16 a.m.8 views

CVE-2026-12127

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences 'CRLF Injection' in all versions up to, and including, 1.10.2 This is due to getreplytoaddress processing the Reply-To...

5.3CVSS0.00343EPSS
Exploits0References11
ATTACKERKB
ATTACKERKB
added 2026/06/26 12:0 a.m.6 views

CVE-2026-50765

A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...

6.1CVSS5.8AI score0.0022EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/05/11 8:26 p.m.11 views

CVE-2021-47948

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...

5.4CVSS6AI score0.00169EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/10 3:31 p.m.36 views

EUVD-2021-34808

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...

5.4CVSS6AI score0.00169EPSS
Exploits0References4
NVD
NVD
added 2026/05/10 1:16 p.m.56 views

CVE-2021-47948

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...

5.4CVSS0.00169EPSS
Exploits0References3
CVE
CVE
added 2026/05/10 12:44 p.m.25 views

CVE-2021-47948

The CVE-2021-47948 entry concerns WordPress GetPaid Plugin 2.4.6 with an HTML-injection vulnerability. It allows authenticated attackers to inject arbitrary HTML via the Help Text field in payment forms, with the injected HTML stored in the database and executed in the browser when the form is vi...

5.4CVSS6AI score0.00169EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/05 8:45 p.m.3 views

CVE-2019-25660

LanHelper 1.74 contains a local buffer overflow vulnerability that allows attackers to crash the application by sending excessively long input strings. Attackers can exploit the Form Send Message feature by pasting 6000 bytes of data into the Message text field to trigger a denial of service...

6.9CVSS6.2AI score0.00228EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/03/23 11:25 p.m.29 views

CVE-2026-4001 Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula

The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval in the processcustomformula function within includes/process/price.php. This is due to insufficient sanitization an...

9.8CVSS0.00707EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/16 4:39 p.m.27 views

XSS in @leanprover/unicode-input-component

Impact Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. Patches The issue has been resolved in 0.2.0. Workarounds Replace the...

5.7AI score0.00327EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/02 7:51 p.m.6 views

NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

Summary An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. Details The TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content...

5.4CVSS6AI score0.00147EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/03/02 4:17 p.m.25 views

CVE-2026-28359 NocoDB: Stored Cross-Site Scripting via Rich Text Field

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3...

5.3CVSS0.00147EPSS
Exploits0References2
OSV
OSV
added 2026/03/02 4:17 p.m.4 views

CVE-2026-28359 NocoDB: Stored Cross-Site Scripting via Rich Text Field

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3...

5.3CVSS5.9AI score0.00147EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/02/27 6:43 a.m.7 views

CVE-2025-14040

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in th...

6.4CVSS6AI score0.00269EPSS
Exploits0References4
Snyk
Snyk
added 2026/02/05 8:51 p.m.3 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection when querying JSON or richText fields. An attacker can extract sensitive information and gain unauthorized access to user accounts by injecting crafted SQL statements. Note: This is only exploitable if a Drizzle-based...

9.8CVSS5.8AI score0.00453EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/05 8:51 p.m.18 views

@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters

Impact When querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL Injection attacks. An unauthenticated attacker could extract sensitive data emails, password reset tokens and achieve full account takeover without password cracking. Users...

9.8CVSS5.8AI score0.00453EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/05 8:25 a.m.5 views

CVE-2026-1319 Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field

The Robin Image Optimizer – Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output...

6.4CVSS5.6AI score0.00205EPSS
Exploits0References2
NVD
NVD
added 2026/01/23 5:16 p.m.6 views

CVE-2021-47906

BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users...

6.4CVSS0.00197EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/01/23 4:47 p.m.5 views

CVE-2021-47906 BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting

BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users...

6.4CVSS5.2AI score0.00197EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2025/11/10 1:37 a.m.2 views

rack: Rack's multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

A flaw was found in Rack where Rack::Multipart::Parser stores non-file form fields entirely in memory without size limits. An attacker can send a multipart/form-data request with an extremely large text field, causing the server to allocate large amounts of memory which leads to a denial of servi...

7.5CVSS6.7AI score0.00528EPSS
Exploits0References8
Rows per page
Query Builder