CVE-2026-6268 EventPress < 22.2 – Reflected Cross-Site Scripting

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpresscustomizernotifydismissaction AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in...

EUVD-2026-32097

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpresscustomizernotifydismissaction AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in...

CVE-2026-6268

The advisory concerns the EventPress WordPress theme before 22.2. The issue is that the id parameter in the eventpress_customizer_notify_dismiss_action AJAX handler is not sanitized or escaped before it is echoed in the response. This leads to Reflected Cross-Site Scripting (XSS) that can be exec...

CVE-2026-48228

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientw.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticketid GET parameters directly into an HTML form action URL. Attackers ca...

PT-2026-42505

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket id GET parameters directly into an HTML form action URL. Attackers ca...

CVE-2026-35007

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in singleunit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id GET parameter directly into an HTML attribute. Attackers can craft a maliciou...

PT-2026-42249

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single unit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id GET parameter directly into an HTML attribute. Attackers can craft a malicio...

CVE-2026-33991

CVE-2026-33991 affects WeGIA (web manager for charitable institutions). Before version 3.6.7, html/socio/sistema/deletar_tag.php uses extract($_REQUEST) and directly concatenates $id_tag into SQL queries (no prepared statements/sanitization), enabling SQL injection. This results in potential data...

VulnCheck KEV: CVE-2022-0948

The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection...

CVE-2023-53982

PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-bas...

CVE-2023-53982

PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-bas...

CVE-2023-53982 PMB 7.4.6 SQL Injection Vulnerability via Unsanitized Storage Parameter

PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-bas...

PT-2025-52840

Name of the Vulnerable Software and Affected Versions PMB version 7.4.6 Description The software contains a SQL injection issue in the storage parameter of the ''ajax.php'' endpoint. This allows remote attackers to manipulate database queries. The unsanitized id parameter is exploitable by...

Linux Distros Unpatched Vulnerability : CVE-2020-5225

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system...

CVE-2022-0189

The WP RSS Aggregator WordPress plugin before 4.20 does not sanitise and escape the id parameter in the wprssfetchitemsrowaction AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting...

Billing Management System SQL注入漏洞

Billing Management System is a simple web application for managing customer billing for electricity supplier companies. A SQL injection vulnerability exists in Billing Management System v1.0, which stems from a lack of validation of externally entered SQL statements in the parameter id of...

Campcodes Online Traffic Offense Management System 跨站脚本漏洞

Campcodes Online Traffic Offense Management System is a web-based traffic offense management system. A cross-site scripting vulnerability exists in Campcodes Online Traffic Offense Management System v1.0, which stems from the lack of effective filtering and escaping of user-supplied data in the...

CVE-2022-1686

The Five Minute Webshop WordPress plugin through 1.3.2 does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection...

ZZCMS SQL注入漏洞

ZZCMS is a content management system CMS from the ZZCMS team in China. zzCMS version 2019 is vulnerable to SQL injection, which stems from the lack of security filtering of the id parameter in /dl/dldownload.php. No detailed vulnerability details are provided at this time...

ZZCMS SQL注入漏洞

ZZCMS is a content management system CMS from the ZZCMS team in China. zzCMS version 2019 is vulnerable to SQL injection, which stems from the lack of security filtering of the id parameter in /dl/dlprint.php. No detailed vulnerability details are provided at this time...