GO-2026-4456 Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering in github.com/mattermost/mattermost-plugin-confluence

Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering in github.com/mattermost/mattermost-plugin-confluence...

CVE-2025-66472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack...

CVE-2025-66472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack...

CVE-2025-66472 XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack...

CVE-2025-66472

XWiki DeleteApplication reflects XSS via a deletion confirmation message. Affected: XWiki Platform Flamingo Skin Resources and Web Templates from 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1. The attack executes attacker-supplied JavaScript when the victim clicks the No button. ...

CVE-2025-66472 XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack...

EUVD-2022-42502

Malicious code in bioql PyPI...

EUVD-2022-6706

Malicious code in bioql PyPI...

CVE-2025-8118

PAD CMS implements weak client-side brute-force protection by utilizing two cookies: logincount and logintimeout. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting those cookies. This issue...

CVE-2025-8121 Blind SQL Injection in PAD CMS

Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQL Injection attacks. This issue affects all 3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability...

PT-2025-39964

Name of the Vulnerable Software and Affected Versions PAD CMS affected versions not specified Description The software’s photo upload functionality allows a remote attacker to upload files of any type and extension without restriction due to a client-controlled permission check parameter. This ca...

PT-2025-50546

Name of the Vulnerable Software and Affected Versions XWiki Platform Flamingo Skin Resources versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 XWiki Platform Web Templates versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 Description The XWiki Platform ...

CVE-2020-11976

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5...

GHSA-QCJ9-GCPG-4W2W XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled

Impact When document names are validated according to a name strategy disabled by default, XWiki is vulnerable to a reflected XSS attack in the page creation form. To reproduce, make sure that "Validate names before saving" is enabled in the administration under "Editing" - "Name strategies" and...

Multiple Self-XSS Vulnerabilites

Description Multiple Self-XSS Vulnerabilities are triggered at multiple endpoints. http://localhost:8083/edit/server/ There is a bug in web/templates/pages/editserver.php file. Attacker can control $vtimezone. php ', theme: '', language: '', hasSmtpRelay: , remoteBackupEnabled: , backupType: '',...

GHSA-FP36-MJW5-FMGX xwiki-platform-web-templates allows users to be created even when registration is disabled without validation via template macro

Impact If a guest has view rights on any document, it's possible to create a new user using the distribution/firstadminuser.wiki in the wrong context. To reproduce: On a wiki with view rights for guests but user registration disabled, open as guest...

LISTSERV 17 - Reflected Cross Site Scripting Vulnerability

Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting XSS Google Dork: inurl:/scripts/wa.exe Exploit Author: Shaunt Der-Grigorian Vendor Homepage: https://www.lsoft.com/ Software Link: https://www.lsoft.com/download/listserv.asp Version: 17 Tested on: Windows Server 2019 CVE : CVE-2022-3919...

LISTSERV 17 - Reflected Cross Site Scripting (XSS)

Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting XSS Google Dork: inurl:/scripts/wa.exe Date: 12/01/2022 Exploit Author: Shaunt Der-Grigorian Vendor Homepage: https://www.lsoft.com/ Software Link: https://www.lsoft.com/download/listserv.asp Version: 17 Tested on: Windows Server 2019 CV...

LISTSERV 17 Cross Site Scripting

Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting XSS Exploit Author: Shaunt D Vendor Homepage: https://www.lsoft.com/ Version: 17 Tested on: Windows Server 2019 CVE : CVE-2022-39195 A reflected cross-site scripting XSS vulnerability in the LISTSERV 17 web interface allows remote...

CVE-2022-3073 Quaonos Schema ST4 example templates prone to XSS

Quanos "SCHEMA ST4" example web templates in version Bootstrap 2019 v2/2021 v1/2022 v1/2022 SP1 v1 or below are prone to JavaScript injection allowing a remote attacker to hijack existing sessions to e.g. other web services in the same environment or execute scripts in the users browser...