611 matches found
Cross-site Scripting (XSS)
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the fullName field in the revision/draft context menu, which is rendered as raw HTML due to improper handling with Template::raw and string interpolation. An...
PT-2026-26084
MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that...
EUVD-2026-12462
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the pingipaddr parameter t...
PT-2026-25783
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping ipaddr parameter ...
Exploit for Cross-site Scripting in Invoiceplane
CVE-2026-25594 — Stored XSS via Family Name in InvoicePlane 1...
OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`
Summary In affected versions of openclaw, a gateway caller with operator.write could issue agent requests containing /new or /reset and reach the same reset path used by the admin-only sessions.reset RPC. Impact On gateways where a caller is intentionally granted operator.write but not...
PT-2026-24948
A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...
CVE-2026-2433
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener...
CVE-2026-2433
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener...
CVE-2026-2433
The CVE-2026-2433 entry concerns the WordPress plugin RSS Aggregator (RSS Import, News Feeds, Feed to Post, Autoblogging) up to version 5.0.11. The root cause is a DOM-based XSS via postMessage arising from admin-shell.js: a global message listener is registered without origin validation, and use...
WordPress plugin RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
EUVD-2025-208337
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...
CVE-2026-27621
TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting XSS vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a...
CVE-2026-27621
TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting XSS vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a...
CVE-2026-27504
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobilefront.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowi...
CVE-2026-27504
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobilefront.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowi...
CVE-2026-27504 SVXportal <= 2.5 radiomobile_front.php stationid Reflected XSS
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobilefront.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowi...
CVE-2026-27504
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobilefront.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowi...
PT-2026-21273
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile front.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field,...
CVE-2019-25399 IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi
IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute...