CVE-2026-30930

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize method wraps string values in single quotes but does not escape embedded single...

UBUNTU-CVE-2026-30930

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize method wraps string values in single quotes but does not escape embedded single...

CVE-2026-30930 Glances has SQL Injection via Process Names in TimescaleDB Export

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize method wraps string values in single quotes but does not escape embedded single...

EUVD-2026-10542

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize method wraps string values in single quotes but does not escape embedded single...

SQL Injection

Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to SQL Injection via the normalize function in the TimescaleDB export module, which constructs SQL queries using unsanitized system monitoring data such as process names, filesyst...

GHSA-67PG-WM7F-Q7FJ jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions

Impact User control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF file...

Cross-site Scripting (XSS)

Overview org.webjars.npm:fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the loadFromJSON function, which is used in the FabricObjectSVGExportMixin class to...

Smoothwall Express 跨站脚本漏洞

Smoothwall Express is Smoothwall open source a GNU/Linux-based firewall operating system . Smoothwall Express has a cross-site scripting vulnerability , the vulnerability stems from the apcupsd.cgi script multiple POST parameters on the user-supplied data lack of effective filtering and escaping ...

CVE-2020-37137

CVE-2020-37137 affects PHP-Fusion 9.03.50. The vulnerability is a remote code execution in the add_panel_form() path where eval() executes unsanitized POST data (panel_content) sent to the panels.php admin endpoint. This can enable arbitrary code execution by an attacker who crafts panel_content ...

PT-2026-6580

Name of the Vulnerable Software and Affected Versions PHP-Fusion version 9.03.50 Description The software contains a remote code execution issue in the add panel form function. This allows attackers to execute arbitrary code through the use of an eval function with unsanitized data received via...

CVE-2026-23724

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting XSS vulnerability was identified in the html/atendido/cadastroocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the...

CVE-2026-23724 WeGIA Stored Cross-Site Scripting (XSS) – atendido_idatendido Parameter on Occurrence Registration Page

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting XSS vulnerability was identified in the html/atendido/cadastroocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the...

solspace/craft-freeform Vulnerable to XSS in `PhpSpreadsheet` HTML Writer Due to Unsanitized Styling Data

Summary Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling...

CVE-2026-22028

A flaw was found in Preact, a lightweight web development framework. A security regression allows an attacker to bypass JSON serialization protection, leading to HTML injection. This vulnerability arises when applications process unsanitized data from external sources, allowing malicious JSON to ...

CVE-2019-16771

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in...

CVE-2025-13861

The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This...

Stored Cross-Site Scripting

Liferay Portal and Liferay DXP are vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of user-controlled input, where the name of a fieldset in Kaleo Forms Admin is stored without proper escaping, allowing an authenticated attacker to persistently...

CVE-2025-67496 WeGia is Vulnerable to XSS through id_pessoa Parameter on Password Configuration Page

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting XSS vulnerability in the /WeGIA/html/geral/configurarsenhas.php endpoint. The application does not sanitize user-controlled data before...

CVE-2025-12510 Widgets for Google Reviews <= 13.2.4 - Unauthenticated Stored Cross-Site Scripting via Google Reviews

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 13.2.4 due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This makes it possible for unauthenticated...

CVE-2025-65956 Formwork CMS Has a Stored Cross-Site Scripting (XSS) Vulnerability in Blog Tags

Formwork is a flat file-based Content Management System CMS. Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting XSS. Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controll...