EUVD-2026-39160

OS Command Injection vulnerability in the processstring action of Rapid7 InsightConnect AWK Plugin on Linux allows remote attackers to execute arbitrary OS commands via the text or expression parameters due to unsafe shell command construction in the processing pipeline...

CVE-2026-8905

The CVE concerns the Osiris Signature Banner WordPress plugin (versions up to and including 0.5). The root cause is missing or incorrect nonce validation on a function, enabling Cross-Site Request Forgery (CSRF). This could allow unauthenticated attackers to update plugin settings and inject mali...

CVE-2026-8905 Osiris Signature Banner <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'prepend_text' Parameter

The Osiris Signature Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious...

CVE-2018-25384

Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the replytext parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users'...

CVE-2018-25384

Wikidforum 2.20 contains a cross-site scripting vulnerability: authenticated attackers can inject JavaScript by submitting crafted HTML in the reply_text parameter via the rpc.php endpoint, causing scripts to execute in other users’ browsers when viewing forum replies. The CVE entry provides this...

CVE-2018-25384 Wikidforum 2.20 Cross-Site Scripting via reply_text Parameter

Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the replytext parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users'...

EUVD-2026-31645

A vulnerability has been found in DTStack Taier 1.4.0. This affects the function Runtime.exec of the component REST API. The manipulation of the argument sqlText leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may ...

CVE-2026-29963

HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this...

CVE-2026-29963

CVE-2026-29963 affects HSC MailInspector 5.3.3-7. The vulnerability is a Path Traversal in the /tap/dw.php endpoint where the text parameter is used to build file paths without proper normalization or safe base-directory restriction. This improper input validation can allow a remote attacker to a...

CVE-2026-29963

HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this...

EUVD-2026-30783

HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this...

PT-2026-41706

HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this...

PT-2026-34664

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this...

📄 SocialEngine 7.8.0 SQL Injection

SocialEngine versions 7.8.0 and below suffer from a remote SQL injection vulnerability. User input passed through the text request parameter to the /activity/index/get-memberall endpoint is not properly sanitized before being used to construct an SQL query...

EUVD-2026-14353

A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This impacts an unknown function of the file /viewcategory.php of the component HTTP POST Request Handler. This manipulation of the argument searchtxt causes sql injection. Remote exploitation of the attack is...

RealtyScript 跨站脚本漏洞

RealtyScript is a real estate website management system developed by RealtyScript Corporation. Version 4.0.2 of RealtyScript contains a cross-site scripting vulnerability. This vulnerability stems from improper cleaning of text parameters, which may allow attackers to inject malicious HTML and...

CVE-2015-20119

CVE-2015-20119 affects RealtyScript 4.0.2 (Next Click Ventures). It is a stored cross-site scripting vulnerability in the pages.php admin interface: an authenticated attacker can submit crafted iframe payloads via the text parameter to the add page action, storing malicious content that executes ...

CVE-2015-20119

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with...

CVE-2015-20119 RealtyScript 4.0.2 Stored Cross-Site Scripting via text Parameter in pages.php

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with...

CVE-2026-2486

The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'maelbhtablebtntext' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...