Cross-site Scripting (XSS)

Overview tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the media plugin when handling crafted data-mce- attributes. An attacker can execute arbitrary scripts in the context of the user's browser by...

Cross-site Scripting (XSS)

Overview tinymce/tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the media plugin when handling crafted data-mce- attributes. An attacker can execute arbitrary scripts in the context of the user's...

EUVD-2026-32635

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec, injected code executes as the...

CVE-2026-44887

CVE-2026-44887 affects Pi.Alert, a WIFI/LAN intruder detector with a web service. The vulnerability arises from the web-based configuration editor allowing arbitrary Python code to be injected into pialert.conf; the background scan daemon loads this file with Python’s exec(), causing the injected...

PT-2026-44075

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec, injected code executes as the...

Pi.Alert 代码注入漏洞

Pi.Alert is a WIFI/LAN intrusion detector developed by Jokob-sk. Versions of Pi.Alert prior to 2026-05-07 had a code injection vulnerability. This vulnerability stemmed from the Web configuration editor, which allowed arbitrary Python code to be injected into the pialert.conf file. Additionally,...

CVE-2026-3027

A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The explo...

Cross-site Scripting (XSS)

Overview org.webjars.npm:sceditor is a lightweight WYSIWYG BBCode and XHTML editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the sceditor.create process. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious...

EUVD-2021-34758

PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation...

EUVD-2023-60220

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with malicious script...

Improper Authorization

trytond is vulnerable to Improper Authorization. The vulnerability is due to missing access control enforcement on the HTML editor route, which allows an attacker to access or modify content without proper permissions...

Cross-site Scripting (XSS)

aimeos/ai-cms-grapesjs is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to lack of proper sanitization when Content Security Policy is disabled, which allows an attacker to inject malicious JavaScript through editor content...

DEBIAN-CVE-2025-66423

Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70...

CVE-2025-34336

Affected software: eGovFramework/egovframe-common-components

CVE-2025-34337 eGovFramework <= 4.3.1 Unauthenticated Encryption Oracle via Web Editor Image Upload Endpoints

eGovFramework/egovframe-common-components versions up to and including 4.3.1 includes Web Editor image upload and related file delivery functionality that uses symmetric encryption to protect URL parameters, but exposes an encryption oracle that allows attackers to generate valid ciphertext for...

PT-2025-47486

Name of the Vulnerable Software and Affected Versions eGovFramework/egovframe-common-components versions up to and including 4.3.1 Description The Web Editor image upload functionality within the software uses symmetric encryption for URL parameters but reveals an encryption oracle. This allows...

EUVD-2018-8288

Malware in sbrugna...

EUVD-2005-2112

Malware in sbrugna...

EUVD-2022-29622

Malicious code in bioql PyPI...

Malicious code in markup-web-editor (npm)

The package markup-web-editor was found to contain malicious code...