8423 matches found
CVE-2026-32745
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings...
CVE-2026-1851
The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' shortcode attribute in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-1275
The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the...
CVE-2026-1886
The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on the user-supplied 'margin'...
CVE-2026-1575
The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's itemscope shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2026-1889
The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-33499
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the view/forbiddenPage.php and view/warningPage.php templates reflect the $REQUEST'unlockPassword' parameter directly into an HTML tag's attributes without any output encoding or sanitization. An attacker can craf...
CVE-2026-2358
The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wpulikelikersbox shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of htmlentitydecode on shortcode attributes without subsequent output sanitization, which...
CVE-2026-4067
The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The adfunc shortcode handle...
CVE-2026-4022
The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'posttype' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on...
Security update for python-tornado6
This update for python-tornado6 fixes the following issues: CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630. Pat...
SUSE-SU-2026:1064-1 Security update for python-tornado6
This update for python-tornado6 fixes the following issues: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. - incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630...
EUVD-2026-16098
The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdcmenu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' an...
CVE-2026-4389
The CVE-2026-4389 entry concerns the DSGVO snippet for the Leaflet Map and its Extensions WordPress plugin. Affected: Leaflet Map and Extensions, all versions up to 3.1. Issue: Stored Cross-Site Scripting via the leafext-cookie-time and leafext-delete-cookie shortcodes due to insufficient input s...
CVE-2026-4278 Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute
The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdcmenu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' an...
CVE-2026-4278
The CVE-2026-4278 entry concerns the WordPress plugin Simple Download Counter, vulnerable to Stored Cross-Site Scripting via the sdc_menu shortcode in versions up to 2.3. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically text...
CVE-2026-4075
CVE-2026-4075 : The BWL Advanced FAQ Manager Lite WordPress plugin is vulnerable to a Stored Cross-Site Scripting (XSS) via the baf_sbox shortcode in all versions up to 1.1.1. The issue arises from insufficient input sanitization and output escaping of user-supplied shortcode attributes (e.g., sb...
User Impersonation
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to User Impersonation in the account linking when LDAP authentication is enabled. An attacker can gain unauthorized access to another user's account, including administrative accounts, by setting their...
GHSA-C545-X2RH-82FC n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover
Impact When LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user's email ...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation in the account linking when LDAP authentication is enabled. An attacker can gain unauthorized access to another user's account, including administrative accounts, by setting their LDAP email attribute to match the...