82 matches found
CVE-2026-44214
CVE-2026-44214 concerns eventsource-encoder where unsanitized event and id fields can inject SSE line terminators, enabling forged SSE fields/messages. Affects versions prior to 1.0.2; patch released in 1.0.2 that validates/escapes those fields. Public advisories (GHSA, OSV, CVS) describe the imp...
CVE-2026-44214 eventsource-encoder: SSE event injection via unsanitized event and id fields
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...
Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugi...
GHSA-82J6-4FQ7-FX62 Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugi...
CVE-2026-6347
Summary: CVE-2026-6347 affects Mattermost releases 11.5.x up to 11.5.1, 11.4.x up to 11.4.3, and 10.11.x up to 10.11.13. The vulnerability arises in the Mattermost Calls plugin where sensitive configuration fields are not sanitized. This allows an attacker with access to a support packet to obtai...
CVE-2026-6347
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugi...
CVE-2026-44217 sse-channel: SSE Injection via unsanitized event fields
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into t...
CVE-2026-44217 sse-channel: SSE Injection via unsanitized event fields
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into t...
CVE-2022-50945 WordPress 3dady Real-Time Web Stats 1.0 Stored XSS
WordPress 3dady Real-Time Web Stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dadyinputtext or dady2inputtext fields via...
eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields
Summary eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators \n, \r, or \r\n and thereby forge additional SSE fields or entire messages on the...
NPM: eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields
NPM: eventsource-encoder vulnerable to SSE event injection via unsanitized event and id fields vulnerability discovered by ? in WordPress Npm eventsource-encoder versions = 1.0.1...
GHSA-M9G3-3G99-MHPX eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields
Summary eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators \n, \r, or \r\n and thereby forge additional SSE fields or entire messages on the...
CVE-2026-7457
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters firstname, lastname, phone, notes bypass sanitizati...
EUVD-2026-27544
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters firstname, lastname, phone, notes bypass sanitizati...
GHSA-84HM-WFH8-C5PG sse-channel: SSE Injection via unsanitized event fields
Impact Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. - Event Spoofing: Attacker can inject arbitrary SSE events into the stream - Client-side...
NPM: sse-channel: SSE Injection via unsanitized event fields
NPM: sse-channel: SSE Injection via unsanitized event fields vulnerability discovered by ? in WordPress Npm sse-channel versions = 4.0.0...
sse-channel: SSE Injection via unsanitized event fields
Impact Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. - Event Spoofing: Attacker can inject arbitrary SSE events into the stream - Client-side...
CRLF Injection
Overview sse-channel is a Server-Sent Events "channel" where all messages are broadcasted to all connected clients, history is maintained automatically and server attempts to keep clients alive by sending "keep-alive" packets automatically. Affected versions of this package are vulnerable to CRLF...
GHSA-MPH4-Q2VM-W2PW Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields
Summary The Amazon EFS CSI Driver is a Container Storage Interface driver that allows Kubernetes clusters to use Amazon Elastic File System. An issue exists where, under certain circumstances, unsanitized values in the volumeHandle and mounttargetip fields are passed directly to the mount command...
Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields
Summary The Amazon EFS CSI Driver is a Container Storage Interface driver that allows Kubernetes clusters to use Amazon Elastic File System. An issue exists where, under certain circumstances, unsanitized values in the volumeHandle and mounttargetip fields are passed directly to the mount command...