Rukovoditel <= 2.7.2 - Cross-Site Scripting

A stored cross site scripting XSS vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. id: CVE-2020-35987 info: name: Rukovoditel = 2.7.2 - Cross-Site...

Rukovoditel <= 2.7.2 - Cross Site Scripting

A stored cross site scripting XSS vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. id: CVE-2020-35984 info: name: Rukovoditel = 2.7.2 - Cross Site...

WordPress Candidate Application Form <= 1.3 - Local File Inclusion

WordPress Candidate Application Form = 1.3 is susceptible to arbitrary file downloads because the code in downloadpdffile.php does not do any sanity checks. id: CVE-2015-1000005 info: name: WordPress Candidate Application Form = 1.3 - Local File Inclusion author: dhiyaneshDK severity: high...

Odoo <= 15.0 - Cross-Site Scripting

A cross-site scripting XSS vulnerability in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote attackers to inject arbitrary web scripts into the browser of a victim via a crafted link. This issue could lead to the execution of malicious scripts in the context of t...

DomainMOD 4.13.0 - Cross-Site Scripting

DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter. id: CVE-2020-20988 info: name: DomainMOD 4.13.0 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.13.0 is vulnerable to...

Yonyou YonBIP - Path Traversal

Yonyou YonBIP v3 and before contains a path traversal caused by improper validation in the LoginWithV8 interface of the series data application service system, letting unauthorized attackers access sensitive information. id: CVE-2025-66744 info: name: Yonyou YonBIP - Path Traversal author:...

Heimdall Application Dashboard < 2.7.3 - Reflected XSS

LinuxServer.io Heimdall 2.7.3 contains a stored XSS caused by improper sanitization of the "q" parameter, letting remote attackers execute scripts, exploit requires crafted input. id: CVE-2025-54597 info: name: Heimdall Application Dashboard 2.7.3 - Reflected XSS author: 0xAkoko severity: medium...

Vanna - SQL injection

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents . This can lead to...

Lightdash v0.1024.6 - Server-Side Request Forgery

Server-Side Request Forgery “SSRF” in the export dashboard functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to obtain the session cookie of any user who exports a crafted dashboard. When they are exported, dashboards containing HTML elements can trigger HTTP...

ATutor < 2.2.1 - Cross Site Scripting

ATutor 2.2.1 was discovered with a vulnerability, a reflected cross-site scripting XSS, in ATtutor 2.2.1 via token body parameter. id: CVE-2023-27008 info: name: ATutor 2.2.1 - Cross Site Scripting author: r3Y3r53 severity: medium description: | ATutor 2.2.1 was discovered with a vulnerability, a...

Rukovoditel <= 3.2.1 - Cross-Site Scripting

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the Entities Group feature at/index.php?module=entities/entitiesgroups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field...

PowerJob <=4.3.2 - Unauthenticated Access

PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface. id: CVE-2023-29923 info: name: PowerJob =4.3.2 - Unauthenticated Access author: For3stCo1d severity: medium description: | PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface. impact: ...

OpenCATS 0.9.6 - Cross-Site Scripting

OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the joborderID parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch...

ChanCMS <= 3.3.0 - SQL Injection

yanyutao0402 ChanCMS = 3.3.0 contains a SQL injection caused by manipulation of the "key" argument in app/modules/api/service/Api.js Search function, letting remote attackers execute arbitrary SQL commands, exploit requires crafted request. id: CVE-2025-10210 info: name: ChanCMS = 3.3.0 - SQL...

MOVEit Transfer - SQL Injection

In Progress MOVEit Transfer before 2020.1.11 12.1.11, 2021.0.9 13.0.9, 2021.1.7 13.1.7, 2022.0.7 14.0.7, 2022.1.8 14.1.8, and 2023.0.4 15.0.4, a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized...

NS-ASG Application Security Gateway 6.3 - Sql Injection

A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The...

ZoneMinder v1.37.* <= 1.37.64 - SQL Injection

ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37. = 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65. id: CVE-2024-51482 info: name: ZoneMinder v1.37. = 1.37.64 - SQL Injection author...

GeoServer and GeoTools - Remote Code Execution

GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution RCE is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6...

TurboMeeting - Boolean-based SQL Injection

A Boolean-based SQL injection vulnerability in the "RHUB TurboMeeting" web application. This vulnerability could allow an attacker to execute arbitrary SQL commands on the database server, potentially allowing them to access sensitive data or compromise the server. id: CVE-2024-38289 info: name:...

Popup Builder Plugin - SQL Injection and Cross-Site Scripting

The Popup Builder WordPress plugin before 4.1.1 is vulnerable to SQL Injection and Reflected XSS via the sgpb-subscription-popup-id parameter. id: CVE-2022-0479 info: name: Popup Builder Plugin - SQL Injection and Cross-Site Scripting author: ritikchaddha severity: critical description: | The Pop...