CVE-2024-12749

CVE-2024-12749 affects the WordPress plugin Competition Form (versions

WordPress Plugin "Simple Image Sizes" vulnerable to cross-site scripting

Overview WordPress Plugin "Simple Image Sizes" provided by Rahe contains a stored cross-site scripting vulnerability CWE-79. Ibuki Sato of Nippon Engineering College of Hachioji reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

CVE-2024-13055

The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-13056

The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-13116 Crelly Slider < 1.4.7 - Admin+ Stored XSS

The Crelly Slider WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Information Disclosure

org.keycloak, keycloak-quarkus-server is vulnerable to Information Disclosure. The vulnerability is due to the ability of admin users to inject placeholders like $env.VARNAME or $PROPNAME into configurable URLs, allowing access to sensitive server environment variables and system properties...

CVE-2024-11736

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like $env.VARNAME or $PROPNAME. The serve...

CVE-2023-42231

Pat Infinite Solutions HelpdeskAdvanced = 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can delete admin users by sending a request to the "WSCView/Delete" function...

CVE-2023-42231

Pat Infinite Solutions HelpdeskAdvanced = 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can delete admin users by sending a request to the "WSCView/Delete" function...

CVE-2024-12587

The Contact Form Master WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-12731

The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-12736

The BU Section Editing WordPress plugin through 0.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-12715

The Asgard Security Scanner WordPress plugin through 0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-12715

The Asgard Security Scanner WordPress plugin through 0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-22130

Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without...

CVE-2025-22130 Soft Serve allows path traversal attacks

Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without...

CVE-2025-22130

CVE-2025-22130 affects the Soft Serve Git server. Prior to version 0.8.2, a path traversal vulnerability lets existing non-admin users access and take over other users’ repositories, enabling modification, deletion, and arbitrary admin-like actions on repositories without explicit permissions. Th...

CVE-2024-11846

The does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-13058

CVE-2024-13058 affects SoftIron HyperCloud and related software (e.g., VM Squared) versions 2.3.0 up to but before 2.5.0. The issue allows authenticated, non-admin users to create data pools, potentially impacting the performance and availability of the backend software-defined storage subsystem....

CVE-2024-13058 Authenticated, non-admin users can create storage pools via the sifi API

An issue exists in SoftIron HyperCloud where authenticated, but non-admin users can create data pools, which could potentially impact the performance and availability of the backend software-defined storage subsystem. This issue only impacts SoftIron HyperCloud and related software products such ...