26 matches found
Jenkins 安全漏洞
Jenkins is an open-source application developed by Jenkins Project. The open-source automation server Jenkins offers hundreds of plugins to support building, deploying, and automating any project. Versions 2.483 to 2.567, as well as LTS versions 2.492.1 to 2.555.2, have security vulnerabilities...
CVE-2026-5776
The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks...
CVE-2026-45628
Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via childprocess.exec which runs through /bin/sh -c. User-supplied branch names, repository URLs, and Docker credentials are...
CVE-2026-5776
The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks...
EUVD-2025-8839
Malicious code in bioql PyPI...
Log Injection
Django is vulnerable to log injection. The vulnerability is due to unescaped user input in request.path during internal HTTP response logging, allowing attackers to manipulate logs, forge entries, or hide malicious activity...
CVE-2021-24385
The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the getcol function and it allows SQL injection. The Rest...
CVE-2021-24862
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rmchronosajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue...
Beego allows Reflected/Stored XSS in Beego's RenderForm() Function Due to Unescaped User Input
Summary A Cross-Site Scripting XSS vulnerability exists in Beego's RenderForm function due to improper HTML escaping of user-controlled data. This vulnerability allows attackers to inject malicious JavaScript code that executes in victims' browsers, potentially leading to session hijacking,...
GHSA-2J42-H78H-Q4FG Beego allows Reflected/Stored XSS in Beego's RenderForm() Function Due to Unescaped User Input
Summary A Cross-Site Scripting XSS vulnerability exists in Beego's RenderForm function due to improper HTML escaping of user-controlled data. This vulnerability allows attackers to inject malicious JavaScript code that executes in victims' browsers, potentially leading to session hijacking,...
AgentScope 安全漏洞
AgentScope is a ModelScope open source application. Build LLM-based multi-intelligence applications more simply. A security vulnerability exists in AgentScope that stems from user-controllable strings that are not properly cleaned and escaped, which could lead to a stored cross-site scripting...
Extension:TabberNeue vulnerable to Cross-site Scripting
Summary There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users. Edit: Only the first XSS can be reproduced in production. Details ✅ Verified and patched in...
GHSA-4X6X-8RM8-C37J Extension:TabberNeue vulnerable to Cross-site Scripting
Summary There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users. Edit: Only the first XSS can be reproduced in production. Details ✅ Verified and patched in...
CVE-2024-53257
Vitess CVE-2024-53257 affects the vtgate/vttablet status pages (/debug/querylogz and /debug/env). Input is not escaped, allowing HTML injection on monitoring pages because those endpoints render with text/template. Fixed in Vitess releases 19.0.8, 20.0.4, and 21.0.1. Exploitation details are prov...
EmbedPress < 3.9.2 - Reflected XSS
Description The plugin does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page containing the HTML code below...
Symfony potential Cross-site Scripting in WebhookController
Description The error message in WebhookController returns unescaped user-submitted input. Resolution WebhookController now doesn't return any user-submitted input in its response. The patch for this issue is available here for branch 6.3. Credits We would like to thank Maxime Aknin for reporting...
WordPress Plugin Message ticker SQL Injection Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...
WordPress 插件跨站脚本漏洞
WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists in versio...
OS Command Injection in falconchristmas/fpp
✍️ Description Hi, it is possible to inject arbitrary OS commands in https://github.com/FalconChristmas/fpp/blob/59b7f7e8039a7019143c2c4b44f7d95b6358a4ef/www/formatstorage.phpL24 php &1"; echo "Command: $command\n"; echo...
MyBookTable <= 3.2.2 - Multiple XSS
Version WPScan Team: v3.2.2 implemented numerous sanitisation improvements, however there was still at least one DOM XSS: https:///wp-admin/admin.php?page=mbthelpvideotutorial= June 30th - Vendor Contacted about the DOM XSS June 30th - Fix pushed in Trunk, vendor also reviewed all other usage of...