888 matches found
CVE-2025-57205
iNiLabs School Express SMS Express 6.2 is affected by a Stored Cross-Site Scripting XSS vulnerability in the content-management features available to authenticated admin users. The vulnerability resides in POSTed editor parameters submitted to the /posts/edit/id endpoint and similarly in Notice a...
Arbitrary File Upload
Overview hillelcoren/invoice-ninja is an Invoices, expenses & time-tracking built with Laravel Affected versions of this package are vulnerable to Arbitrary File Upload via the Restore process. An attacker can execute arbitrary code on the server by uploading specially crafted .php files when...
CVE-2025-50977
A template injection vulnerability leading to reflected cross-site scripting XSS has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute...
CVE-2025-50977
A template injection vulnerability leading to reflected cross-site scripting XSS has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute...
CVE-2025-50977
A template injection vulnerability leading to reflected cross-site scripting XSS has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute...
PT-2025-34902 Β· Wicket Β· Wicket
Name of the Vulnerable Software and Affected Versions: versions prior to 1.7.1 Description: A template injection vulnerability leading to reflected cross-site scripting XSS has been identified, requiring authenticated admin access for exploitation. The vulnerability exists in the r parameter and...
CVE-2025-8490 All-in-One WP Migration and Backup <= 7.97 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Import in all versions up to, and including, 7.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...
CVE-2025-54336
In Plesk Obsidian 18.0.70, isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 such as the 0e0 string. This occurs in admin/plib/LoginManager.php...
PT-2025-34071
Name of the Vulnerable Software and Affected Versions: XWiki versions through 17.3.0 Description: XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting XSS vulnerabilities in the Administration interface, specifically under the Presentation section of the Global...
π Anchor CMS 0.12.7 Cross Site Scripting
Anchor CMS version 0.12.7 suffers from a persistent cross site scripting vulnerability. Anchor CMS v0.12.7 - Stored XSS CVE-2025-46041 Anchor CMS v0.12.7 is vulnerable to a Stored Cross-Site Scripting XSS vulnerability in the description field of the /admin/pages/add interface. CVE ID...
Grav CMS 1.7.48 - Remote Code Execution (RCE)
Exploit Title: Grav CMS 1.7.48 - Remote Code Execution RCE Date: 2025-08-07 Exploit Author: binneko https://github.com/binneko Vendor Homepage: https://getgrav.org/ Software Link: https://github.com/getgrav/grav/releases/tag/1.7.48 Version: Grav CMS v1.7.48 / Admin Plugin v1.10.48 Tested on: Debi...
CVE-2024-48730
The default configuration in ETSI Open-Source MANO OSM v.14.x, v.15.x, v.16.x, v.17.x does not impose any restrictions on the authentication attempts performed by the default admin user, allowing a remote attacker to escalate privileges...
CVE-2025-26395
SolarWinds Observability Self-Hosted was susceptible to a cross-site scripting XSS vulnerability due to an unsanitized field in the URL. The attack requires authentication using an administrator-level account and user interaction is required...
CVE-2024-9769
The Video Gallery β Best WordPress YouTube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2023-25046
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Podlove Podlove Podcast Publisher plugin = 3.8.2 versions...
CVE-2023-28174
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in eLightUp eRocket plugin = 1.2.4 versions...
CVE-2023-26010
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in WPMobile.App plugin = 11.18 versions...
CVE-2023-25458
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in GMO Internet Group, Inc. TypeSquare Webfonts for ConoHa plugin = 2.0.3 versions...
CVE-2023-25063
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Anadnet Quick Page/Post Redirect Plugin plugin = 5.2.3 versions...
CVE-2023-25451
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in WPChill CPO Content Types plugin = 1.1.0 versions...