12 matches found
CVE-2026-5112
The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validat...
CVE-2026-40873
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering
Summary An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. Details When Pygments returns more lines than it was given a known upstream quirk...
GHSA-VP6Q-7M36-PQ3W Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering
Summary An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. Details When Pygments returns more lines than it was given a known upstream quirk...
CVE-2026-27614
Bugsink (self-hosted error tracking) is affected by a Stored XSS in versions before 2.0.13. The root cause is how Pygments fallback in stacktrace rendering handles line mismatches: _pygmentize_lines() returns raw lines when line counts differ, and then mark_safe() is applied unconditionally to th...
Memos Vulnerable to Stored Cross-Site Scripting
Memos 0.22 is vulnerable to Stored Cross site scripting XSS vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XS...
CVE-2025-56761
Memos 0.22 is vulnerable to Stored Cross site scripting XSS vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XS...
Exploit for Logging of Excessive Data in Livehelperchat Live_Helper_Chat
Exploit Title: LiveHelperChat 5...
SUSE CVE-2023-39515
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting XSS Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by administrative cacti accounts an...
UBUNTU-CVE-2022-45437
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Artica PFMS Pandora FMS v765 on all allows Cross-Site Scripting XSS. A user with edition privileges can create a Payload in the reporting dashboard module. An admin user can observe the Payload...
CVE-2022-2753
The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made...
CVE-2022-2753 Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Stored XSS
The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made...