EUVD-2022-55990

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The datecreated, datefrom, dateto, and createdat parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted...

CVE-2026-6675

The CVE entry maps to a concrete vulnerability in the WordPress Responsive Blocks plugin (versions ≤ 2.2.0). It describes an unauthenticated open email relay via the REST API 'email_to' parameter, enabling abuse of email delivery functions without login. The source does not provide exploit steps ...

Radware Alteon has a reflected XSS vulnerability that can execute JavaScript in the host browser

Overview Radware Alteon has a reflected Cross-Site Scripting XSS vulnerability in the parameter ReturnTo of the route /protected/login. This vulnerability allows an attacker to execute JavaScript in the host browser. Description CVE-2026-5754: Reflected Cross-Site Scripting XSS vulnerability in...

CVE-2026-40039

Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the returnto parameter. Attackers can craft malicious login URLs with unvalidated returnto values to conduct phishing attacks and steal user credentials...

CVE-2026-40039 Pachno 1.0.6 Open Redirection via return_to Parameter

Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the returnto parameter. Attackers can craft malicious login URLs with unvalidated returnto values to conduct phishing attacks and steal user credentials...

CVE-2026-40039

CVE-2026-40039 concerns Pachno 1.0.6. The issue is an open redirection in the login flow caused by unvalidated return_to values, enabling attackers to craft links that redirect users to arbitrary external sites for phishing and credential theft. The vulnerability affects the return_to parameter h...

📄 Pachno 1.0.6 Open Redirection

Pachno version 1.0.6 suffers from an open redirection vulnerability. Input passed via the returnto GET/POST parameter to the login endpoint is not properly verified before being used to redirect users. The getLoginForwardUrl helper applies htmlentities to the value which is intended for HTML outp...

Pachno 安全漏洞

Pachno is an open-source collaboration platform developed by Pachno. Version 1.0.6 of Pachno contains a security vulnerability; this vulnerability stems from the lack of validation for the returnto parameter, which may lead to open redirection and phishing attacks...

PT-2026-32493

Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the return to parameter. Attackers can craft malicious login URLs with unvalidated return to values to conduct phishing attacks and steal user credentials...

Pachno 1.0.6 (return_to) Open Redirection

Summary Pachno is an open-source collaboration platform formerly known as The Bug Genie designed for team project management, issue tracking, and documentation. It offers a module-based, customizable environment for software development and team workflows, distributed under the Mozilla Public...

CVE-2026-33989 @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Mobile Next is an MCP server for mobile development and automation. Prior to version 0.0.49, the @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobilesavescreenshot and mobilestartscreenrecording tools. The saveTo and output parameters were passed directly to...

PT-2026-27441

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite ZCS version 8.8.15 Description A security issue exists in the Zimbra Collaboration Suite ZCS PostJournal service that allows unauthenticated attackers to execute arbitrary system commands. This is possible due to...

PT-2026-26836

The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day from' and 'day to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-33209

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting XSS vulnerability exists in the returnto query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is execute...

Avo 跨站脚本漏洞

Avo is an open-source Ruby on Rails management panel framework developed by Avo itself. Versions of Avo prior to 3.30.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the returnto query parameter in the Avo interface, which allowed reflective cross-site scripting...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the returnto parameter. An attacker can execute arbitrary JavaScript in the context of the application by enticing a user to click a crafted link containing malicious code. Details Cross-site scripting or XS...

PT-2026-26213

Name of the Vulnerable Software and Affected Versions Avo versions prior to 3.30.3 Description A reflected cross-site scripting XSS issue exists in the return to query parameter within the Avo interface. An attacker can create a malicious URL that injects arbitrary JavaScript. This JavaScript is...

CVE-2026-2431

CVE-2026-2431 affects the CM Custom Reports plugin for WordPress. All versions up to and including 1.2.7 are vulnerable due to insufficient input sanitization and output escaping on the date_from/date_to parameters, enabling a reflected Cross-Site Scripting (XSS) attack. This allows unauthenticat...

CVE-2026-1666

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirectto' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirectto' GET parameter in the login form shortcode...

CVE-2026-1666

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirectto' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirectto' GET parameter in the login form shortcode...