4947 matches found
CVE-2020-37236
CVE-2020-37236 describes an authenticated persistent cross-site scripting vulnerability in NewsLister. Authenticated administrators can inject JavaScript via the title parameter in the news addition interface, with payloads executing when news items are viewed by other users. The CVE has a CVSS v...
CVE-2020-37236 NewsLister Authenticated Persistent Cross-Site Scripting via Admin Panel
NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that...
PT-2026-41436
NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that...
CVE-2026-42458
Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, there is a reflected XSS vulnerability under admin panel - System - Import/Export -...
magento-lts 安全漏洞
Magento LTS is an open-source alternative to OpenMage, and it’s a reliable substitute for the official Magento CE version. Versions of Magento LTS prior to 20.18.0 had security vulnerabilities; these vulnerabilities stemmed from reflection-type cross-site scripting vulnerabilities in the data...
CVE-2026-22707
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions plugin.upload.security.allowedTypes and deniedTypes. The same restrictions were correctly...
CVE-2026-22707 Strapi Upload Plugin MIME Validation Bypass via Content API
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions plugin.upload.security.allowedTypes and deniedTypes. The same restrictions were correctly...
ANTI-FLUFF
PENTESTINGMETHS Main view example: Web Application As...
CVE-2026-43937
YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and...
CVE-2026-42842
CVE-2026-42842: Stored XSS in Grav Form plugin (select field) where taxonomy values render via Twig |raw in admin pages, enabling an editor-level user to inject JavaScript that runs in admins’ browsers when viewing/editing pages. Affects Grav CMS Form plugin’s select.html.twig handling and global...
CVE-2026-42842 grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the...
CVE-2026-42842
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the...
CVE-2026-42609 Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that alread...
CVE-2026-42609
Grav CVE-2026-42609 describes a business-logic flaw in the Grav Admin Panel where a low-privileged user with admin user-creation permissions can overwrite a higher-privilege account by creating a new user with an existing username. The system incorrectly updates the existing account’s metadata an...
CVE-2025-65134
In manikandan580 School-management-system 1.0, a reflected cross-site scripting XSS vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter...
Grav 安全漏洞
Grav is a scalable content management system CMS developed by the Grav open-source community, suitable for use in personal blogs, small content publishing platforms, and single-page product displays. Versions of Grav prior to 2.0.0-beta.2 contained security vulnerabilities. These vulnerabilities...
GHSA-4VG5-RP28-GVJF Open WebUI has Improper Authorization Control
CONFIDENTIAL Vulnerability Disclosure Analysis Documentation --- Vulnerability Details | | Field | Value | |---|-------|-------| | 1 | Discoverer | Taylor Pennington of KoreLogic, Inc. | | 2 | Date Submitted | June 11, 2024 | | 3 | Title | Open WebUI Improper Authorization Control | | 5 | Affecte...
Cross-site Scripting (XSS)
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the dataheadertitle parameter in the admin panel. An attacker can execute arbitrary JavaScript code in the contex...
GHSA-FMG2-F5R9-24QC Grav: Stored XSS via page title (data[header][title]) in admin panel
Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadertitle parameter. --- Details Vulnerable Endpoint: GET /admin/pages/page Parameter:...
EUVD-2026-28547
Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This coul...