149 matches found
CVE-2026-57676
Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple User Avatar: from n/a through 4.9...
EUVD-2026-40056
Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple User Avatar: from n/a through 4.9...
CVE-2026-57676
Summary: CVE-2026-57676 affects the WordPress plugin “Simple User Avatar” (versions up to and including 4.9). The issue is an Insecure Direct Object References (IDOR) /authorization bypass caused by an authorization check vulnerability tied to a user-controlled key, leading to insecure access due...
CVE-2026-12136
The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...
CVE-2026-12136
CVE-2026-12136 affects the WordPress plugin “Customize My Account for WooCommerce” up to version 4.3.6. The root cause is insufficient input sanitization and output escaping on shortcode attributes (min_height, min_width, max_height, max_width) used by sysbasics_user_avatar, which are concatenate...
EUVD-2026-37859
The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...
CVE-2026-12136 SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...
CVE-2026-2979
A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...
CVE-2026-2979
A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...
CVE-2026-2979
CVE-2026-2979 affects FastApiAdmin up to 2.2.0. The vulnerability is in the function user_avatar_upload_controller of /backend/app/api/v1/module_system/user/controller.py (Scheduled Task API). A manipulation can cause unrestricted file upload, enabling a remote attacker to upload arbitrary files....
CVE-2026-2979
A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...
FastAPI Admin 代码问题漏洞
FastAPI Admin is an open-source management dashboard based on FastAPI and TortoiseORM. Versions of FastAPI Admin 2.2.0 and earlier have code vulnerabilities. These vulnerabilities stem from improper handling of the useravatarUploadController function in the file...
CVE-2025-41085
Stored Cross-Site Scripting XSS vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and execute...
CVE-2025-41085
Stored Cross-Site Scripting XSS vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and execute...
CVE-2025-41085
Stored Cross-Site Scripting XSS vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and execute...
CVE-2025-41085
Summary : CVE-2025-41085 is a stored XSS in Apidog 2.7.15 due to improper sanitization of SVG uploads. An attacker can exploit by posting an SVG image to the endpoints exposed by the API (/api/v1/user-avatar), resulting in scripts being stored on the server and executed when a user accesses the c...
CVE-2025-41085 Stored Cross-Site Scripting (XSS) in Apidog web platform
Stored Cross-Site Scripting XSS vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and execute...
PT-2026-5898
Name of the Vulnerable Software and Affected Versions Apidog version 2.7.15 Description A stored Cross-Site Scripting XSS issue exists in Apidog version 2.7.15 due to improper sanitization of SVG image uploads. An attacker can embed malicious scripts within SVG files by sending a POST request to...
CVE-2026-21624
CVE-2026-21624 affects the Easy Discuss Joomla extension (versions 1.0.0–5.0.15) and is due to a lack of input filtering in the user avatar text handling, enabling persistent XSS. Multiple feeds (NVD, Red Hat, CVE lists, EUVD, CIRCL, etc.) corroborate the same description without detailing exploi...
CVE-2023-4798
The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks...