CVE-2024-2765

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to insufficient input...

EUVD-2017-7946

Malware in sbrugna...

EUVD-2020-18162

Malware in sbrugna...

EUVD-2021-18733

Malware in sbrugna...

EUVD-2021-11220

Malware in sbrugna...

EUVD-2023-2742

Malicious code in bioql PyPI...

EUVD-2022-43585

Malicious code in bioql PyPI...

CVE-2025-50849

CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference IDOR. The user profile functionality allows enabling or disabling stickers through a parameter companyid sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate...

CVE-2025-34086

Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend...

CVE-2025-48992

Group-Office is affected by a stored and blind XSS in the Name field of user profiles for versions prior to 6.8.123 and prior to 25.0.27. The vulnerability allows an attacker to set their name to a JavaScript payload, which executes when the compromised user adds that attacker to Synchronization ...

CVE-2022-39226

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which causes issues for other...

CVE-2021-22231

A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username...

CVE-2024-40513

An issue in themesebrand Chatvia v.5.3.2 allows a remote attacker to execute arbitrary code via the User profile Upload image function...

CVE-2025-22142

CVE-2025-22142 concerns NamelessMC. The vulnerability allows cross-site scripting via an admin-enabled extra field where a user may inject JavaScript that executes when a staff member views the user’s profile on the staff panel. Affected version details are not all consistently stated across sour...

PHPGurukul Online Notes Sharing System Cross-Site Request Forgery Vulnerability

PHPGurukul Online Notes Sharing System is an online notes sharing system from PHPGurukul Inc. A cross-site request forgery vulnerability exists in PHPGurukul Online Notes Sharing System version 1.0, which stems from a cross-site request forgery vulnerability in /user/profile.php...

Sql injection

Simple Customer Relationship Management System v1.0 as discovered to contain a SQL injection vulnerability via the contact parameter in the user profile update function...

Windows User Profile Service Elevation of Privilege Vulnerability

...

CVE-2018-9123

In Crea8social 2018.2, there is Stored Cross-Site Scripting via a User Profile...

Pragyan CMS 3.0 SQL Injection Vulnerability

Pragyan CMS version 3.0 suffers from a remote SQL injection vulnerability. Advisory: SQL injection vulnerability in Pragyan CMS v.3.0 Author: Steffen Rösemann Affected Software: Pragyan CMS v.3 Vendor URL: https://github.com/delta/pragyan, http://delta.nitt.edu/ Vendor Status: vendor did not...

CVE-2008-0180

Cross-site scripting XSS vulnerability in themes/unstyled/templates/init.vm in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Greeting field in a User Profile...