Lucene search
K

149 matches found

NVD
NVD
added 3 days ago9 views

CVE-2026-57676

Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple User Avatar: from n/a through 4.9...

4.3CVSS0.00183EPSS
Exploits0References1
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-40056

Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple User Avatar: from n/a through 4.9...

4.3CVSS5.8AI score0.00183EPSS
Exploits0References1
CVE
CVE
added 3 days ago14 views

CVE-2026-57676

Summary: CVE-2026-57676 affects the WordPress plugin “Simple User Avatar” (versions up to and including 4.9). The issue is an Insecure Direct Object References (IDOR) /authorization bypass caused by an authorization check vulnerability tied to a user-controlled key, leading to insecure access due...

4.3CVSS5.8AI score0.00183EPSS
Exploits0References1
NVD
NVD
added 2026/06/18 8:16 a.m.12 views

CVE-2026-12136

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

6.4CVSS0.00193EPSS
Exploits0References5
CVE
CVE
added 2026/06/18 6:50 a.m.27 views

CVE-2026-12136

CVE-2026-12136 affects the WordPress plugin “Customize My Account for WooCommerce” up to version 4.3.6. The root cause is insufficient input sanitization and output escaping on shortcode attributes (min_height, min_width, max_height, max_width) used by sysbasics_user_avatar, which are concatenate...

6.4CVSS5.6AI score0.00193EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/18 6:50 a.m.9 views

EUVD-2026-37859

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

6.4CVSS5.5AI score0.00193EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/18 6:50 a.m.21 views

CVE-2026-12136 SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

6.4CVSS0.00193EPSS
Exploits0References5
NVD
NVD
added 2026/02/23 9:17 a.m.11 views

CVE-2026-2979

A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...

8.8CVSS0.00294EPSS
Exploits1References4
OSV
OSV
added 2026/02/23 9:17 a.m.6 views

CVE-2026-2979

A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...

8.8CVSS5.4AI score0.00294EPSS
Exploits1References4
CVE
CVE
added 2026/02/23 8:2 a.m.23 views

CVE-2026-2979

CVE-2026-2979 affects FastApiAdmin up to 2.2.0. The vulnerability is in the function user_avatar_upload_controller of /backend/app/api/v1/module_system/user/controller.py (Scheduled Task API). A manipulation can cause unrestricted file upload, enabling a remote attacker to upload arbitrary files....

8.8CVSS6.2AI score0.00294EPSS
Exploits1References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/23 8:2 a.m.3 views

CVE-2026-2979

A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...

6.5CVSS6.2AI score0.00294EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/02/23 12:0 a.m.8 views

FastAPI Admin 代码问题漏洞

FastAPI Admin is an open-source management dashboard based on FastAPI and TortoiseORM. Versions of FastAPI Admin 2.2.0 and earlier have code vulnerabilities. These vulnerabilities stem from improper handling of the useravatarUploadController function in the file...

8.8CVSS6.7AI score0.00294EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/02/05 1:22 p.m.6 views

CVE-2025-41085

Stored Cross-Site Scripting XSS vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and execute...

5.1CVSS5.4AI score0.00243EPSS
Exploits0References1
NVD
NVD
added 2026/02/04 10:16 a.m.4 views

CVE-2025-41085

Stored Cross-Site Scripting XSS vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and execute...

5.1CVSS0.00243EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/04 9:56 a.m.5 views

CVE-2025-41085

Stored Cross-Site Scripting XSS vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and execute...

5.1CVSS5.4AI score0.00243EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/02/04 9:56 a.m.12 views

CVE-2025-41085

Summary : CVE-2025-41085 is a stored XSS in Apidog 2.7.15 due to improper sanitization of SVG uploads. An attacker can exploit by posting an SVG image to the endpoints exposed by the API (/api/v1/user-avatar), resulting in scripts being stored on the server and executed when a user accesses the c...

5.1CVSS5.4AI score0.00243EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/04 9:56 a.m.24 views

CVE-2025-41085 Stored Cross-Site Scripting (XSS) in Apidog web platform

Stored Cross-Site Scripting XSS vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and execute...

5.1CVSS0.00243EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/04 12:0 a.m.5 views

PT-2026-5898

Name of the Vulnerable Software and Affected Versions Apidog version 2.7.15 Description A stored Cross-Site Scripting XSS issue exists in Apidog version 2.7.15 due to improper sanitization of SVG image uploads. An attacker can embed malicious scripts within SVG files by sending a POST request to...

5.1CVSS5.5AI score0.00243EPSS
Exploits0References4
CVE
CVE
added 2026/01/16 3:5 p.m.18 views

CVE-2026-21624

CVE-2026-21624 affects the Easy Discuss Joomla extension (versions 1.0.0–5.0.15) and is due to a lack of input filtering in the user avatar text handling, enabling persistent XSS. Multiple feeds (NVD, Red Hat, CVE lists, EUVD, CIRCL, etc.) corroborate the same description without detailing exploi...

9.4CVSS5.8AI score0.00177EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/09 12:32 p.m.4 views

CVE-2023-4798

The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks...

5.4CVSS5.9AI score0.00394EPSS
Exploits2References1
Rows per page
Query Builder