CVE-2026-36460

ADPhonebook versions before 4.0.1.1 are affected by a stored Cross-Site Scripting (XSS) vulnerability via the /Admin/Save API. An authenticated administrator can place malicious JavaScript payloads into multiple configuration sections due to insufficient input validation or lack of proper output ...

EUVD-2026-31342

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name admin-controlled through Concrete's t translation helper as a sprintf-style format. The ... wrap is built by PHP string interpolation before t runs, so th...

CVE-2026-37505

SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy$sort, $sortType without validation. An authenticated admin can sort users by any database column including password,...

IBM Guardium Data Protection 跨站脚本漏洞

IBM Guardium Data Protection is a data security and activity monitoring platform for database auditing, vulnerability assessment and compliance management. A cross-site scripting vulnerability exists in IBM Guardium Data Protection. The vulnerability stems from the failure of the Web UI to proper...

WordPress plugin Real Estate Pro 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

GHSA-FJPJ-6QCQ-6PW2 CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization

Summary The Pages module does not apply the htmlpurify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo-content. An authenticated...

Linux Distros Unpatched Vulnerability : CVE-2026-26046

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On...

CVE-2026-26046

A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator coul...

PT-2026-7224

SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting XSS vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.Th...

CVE-2021-47918

Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application...

PT-2026-2969

This module integrates the AT Internet Piano Analytics service. The module does not filter administrator-entered text leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

GHSA-MGR9-6C2J-JXRQ Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host”

!NOTE Message from the Pterodactyl team: The Pterodactyl team has evaluated this as a minor security issue but does not consider it something that should be assigned a CVE, nor does it require active patching by vulnerable systems. This issue is entirely self-inflicted and requires an...

CVE-2023-53978 myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Announcements

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the announcement titl...

CVE-2022-50681

A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input fields in the Rich text editor component. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers...

PT-2025-52303

Name of the Vulnerable Software and Affected Versions Kentico Xperience affected versions not specified Description A reflected cross-site scripting issue exists in Kentico Xperience. This allows attackers to inject malicious scripts through administration input fields within the Rich text editor...

EUVD-2020-21384

Malware in sbrugna...

EUVD-2025-26710

Malicious code in bioql PyPI...

CVE-2025-41036

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'dataAdmindescription', 'dataAdminfname' and 'dataAdminlname' parameters in /apprain/admin/account/edit...

CVE-2025-41036

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'dataAdmindescription', 'dataAdminfname' and 'dataAdminlname' parameters in /apprain/admin/account/edit...

CVE-2025-41036

CVE-2025-41036 describes a stored authenticated XSS in appRain CMF v4.0.5 caused by insufficient validation of input in the admin account edit path. Specifically, the vulnerable parameters are data[Admin][description], data[Admin][f_name], and data[Admin][l_name] submitted to /apprain/admin/accou...