13 matches found
CVE-2026-33978
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the...
EUVD-2026-17962
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the...
CVE-2026-33976
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the sourc...
EUVD-2026-16874
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the sourc...
CVE-2026-33976 Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the sourc...
CVE-2023-2608
The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projectslist function and insufficient escaping o...
CVE-2023-2607
The Multiple Page Generator Plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...
CVE-2023-2607
The Multiple Page Generator Plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...
CVE-2023-2607 Multiple Page Generator Plugin <= 3.3.17 - Authenticated (Administrator+) SQL Injection
The Multiple Page Generator Plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...
CVE-2023-2608
The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projectslist function and insufficient escaping o...
CVE-2023-2608 Multiple Page Generator Plugin <= 3.3.17 - Cross-Site Request Forgery to SQL Injection
The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projectslist function and insufficient escaping o...
WordPress MPG Plugin <= 3.3.17 is vulnerable to SQL Injection
Software MPG Type Plugin Vulnerable versions = 3.3.17 Fixed in 3.3.18 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-2607 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 74726ab41bcc Credits Marco Wotschka Required privilege Administrator Published 16...
WordPress My Calendar plugin <= 3.3.16 - Unauthenticated Open Redirect vulnerability
Unauthenticated Open Redirect vulnerability discovered by Dan Kegel in WordPress My Calendar plugin versions = 3.3.16. Solution Update the WordPress My Calendar plugin to the latest available version at least 3.3.17...