GO-2026-4456 Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering in github.com/mattermost/mattermost-plugin-confluence

Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering in github.com/mattermost/mattermost-plugin-confluence...

CVE-2025-12361 myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7.1 - Missing Authorization to Sensitive Information Exposure

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This...

EUVD-2022-41818

Malicious code in bioql PyPI...

CVE-2024-6792

The WP ULike WordPress plugin before 4.7.2.1 does not properly sanitize user display names when rendering on a public page...

CVE-2024-6792

Vulnerability context: CVE-2024-6792 affects the WP ULike WordPress plugin prior to 4.7.2.1. The issue stems from improper sanitization of user display names when rendering on public pages, which is described in Red Hat and Patchstack entries as a subscriber-level stored XSS exposure. Affected so...

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

Fedora 36 : nextcloud (2022-902df3b060)

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-902df3b060 advisory. Security fix for CVE-2022-39346 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus h...

Design/Logic Flaw

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to...

FlexCMS 3.2.1 - Persistent Cross-Site Scripting

Persistent XSS in FLEXCMS 3.2.1 Software vendor: http://www.flexcms.com/flex/index.html The Persistent XSS appears when any user go to edit profile Display name and then injects the xss code instead of his display name. After inkection this code. In the main page of the webiste, there is "Users...

aflog-xss.txt

//Author Dentrasi //Application Aflog //Version 1.01 //Site http://www.aflog.org //Bug Users' display names are not sanitized, allowing XSS attacks to be performed. //PoC When signing up, use the display name: alert'xss' This affects your name when viewing any page that you have posted a comment...