Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting

Caldera Forms WordPress plugin 1.9.7 contains a reflected cross-site scripting caused by lack of validation and escaping of the cf-api parameter in responses, letting attackers execute arbitrary scripts in victim's browser, exploit requires attacker to craft a malicious request. id: CVE-2022-0879...

EUVD-2025-209736

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

CVE-2025-67888

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

CVE-2026-35587

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery SSRF vulnerability exists in the Glances IP plugin due to improper validation of the publicapi configuration parameter. The value of publicapi is used directly in outbound HTTP...

CVE-2025-59706

In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution...

EUVD-2025-208987

In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution...

CVE-2025-59706

In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution...

Cisco IOS XE Software 安全漏洞

Cisco IOS XE Software is a network operating system developed by the American company Cisco. There is a security vulnerability in Cisco IOS XE Software, which stems from insufficient validation of API endpoint parameters. This vulnerability could allow authenticated remote attackers to gain...

PT-2026-26851

The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the /wp-content/plugins/canto/includes/lib/copy-media.php file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and t...

CVE-2024-26477

An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the api parameter of the oauth, amazonsns, export endpoints...

CVE-2024-26477

An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the api parameter of the oauth, amazonsns, export endpoints...

PT-2026-7651

Name of the Vulnerable Software and Affected Versions Statping-ng version 0.91.0 Description An issue allows an attacker to obtain sensitive information via a crafted request to the api parameter of the oauth, amazon sns, and export API endpoints. Recommendations Apply updates to address the issu...

VulnCheck KEV: CVE-2021-27670

Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter...

CVE-2022-0879

The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting...

📄 Control Web Panel 0.9.8.1208 Command Injection

Control Web Panel versions 0.9.8.1208 and below suffer from an issue where user input passed via the key GET parameter to /admin/index.php when the api parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject...

CVE-2025-11129

The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api' and 'type' parameters in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

EUVD-2025-60926

The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api' and 'type' parameters in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-11129

The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api' and 'type' parameters in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-11129 Include fussball.de Widgets <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'api' and 'type'

The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api' and 'type' parameters in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-11129

The WordPress plugin Include Fussball.de Widgets is vulnerable to Stored Cross‑Site Scripting via the api and type parameters in all versions up to 4.0.0. Exploitation requires Contributor‑level access or higher, and the XSS payload would execute when a user visits an injected page. CVE-2025-1112...