EUVD-2026-31453

Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : Devolutions Server 2026.1.6.0 throug...

EUVD-2026-30987

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting XSS vulnerability in the ticket reply notification system. Unsanitized reply content $newmessage is stored directly in database notification payloads and later rendered...

EUVD-2026-27544

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters firstname, lastname, phone, notes bypass sanitizati...

CVE-2026-7457

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters firstname, lastname, phone, notes bypass sanitizati...

PT-2026-37353

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters first name, last name, phone, notes bypass...

Cross-site Scripting (XSS)

Magento-lts is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to unescaped translation strings and URLs rendered in the admin notification grid, which allows an attacker with database or feed access to inject malicious scripts into vulnerable fields...

CVE-2025-64174

Magento-lts is a long-term support alternative to Magento Community Edition CE. Versions 20.15.0 and below are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts...

Cross-site Scripting (XSS)

Overview openmage/magento-lts is a This repository is the home of an unofficial community-driven project. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unescaped translation strings and URLs rendered in the admin notification grid...

EUVD-2022-5329

Malicious code in bioql PyPI...

CVE-2022-1605

The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...

CVE-2021-24527

The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such...

CVE-2019-13363

admin.php?page=notificationbymail in Piwigo 2.9.5 has XSS via the nbmsendhtmlmail, nbmsendmailas, nbmsenddetailedcontent, nbmcomplementarymailcontent, nbmsendrecentpostdates, or paramsubmit parameter. This is exploitable via CSRF...

CVE-2025-26042

Uptime Kuma == 1.23.0 has a ReDoS vulnerability, specifically when an administrator creates a notification through the web service. If a string is provided it triggers catastrophic backtracking in the regular expression, leading to a ReDoS attack...

BIT-GITLAB-2020-12276

GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature...

PT-2024-19270 · Phpmyfaq · Phpmyfaq

Name of the Vulnerable Software and Affected Versions: phpMyFAQ versions prior to 3.2.5 Description: The issue allows an attacker to spoof another user's details, making a compelling phishing case for removing another user's account. Although the front-end of the user removal page does not allow...

Getwid < 2.0.3 - Unauthenticated Arbitrary Email Sending to Admin

Description Any unauthenticated user may send e-mail from the site with any title or content to the admin PoC fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php?action=getwidsendmail", "headers": "content-type": "application/x-www-form-urlencoded", , "body": "datasubject=Urgent WordPress update...

CVE-2023-41672

Cross-Site Request Forgery CSRF vulnerability in Rémi Leclercq Hide admin notices – Admin Notification Center plugin = 2.3.2 versions...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Rémi Leclercq Hide admin notices – Admin Notification Center plugin = 2.3.2 versions...

CVE-2023-41672

CVE-2023-41672 relates to a CSRF vulnerability in the WordPress plugin Hide admin notices – Admin Notification Center (

CVE-2023-41672 WordPress Hide admin notices – Admin Notification Center Plugin <= 2.3.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in Rémi Leclercq Hide admin notices – Admin Notification Center plugin = 2.3.2 versions...