CVE-2026-12089 WS Optimize – All-in-One Speed Booster & Cache Tools <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read

The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combinecurrentcss function trusting values harvested from page HTML and converting same-site URLs to absolute filesystem...

CVE-2026-53609

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, apos.util.set traverses dot-notation paths without sanitizing proto, allowing an authenticated editor to write arbitrary values to Object.prototype via the $pullAll patch operator. A confirm...

CVE-2026-5362

An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3...

CVE-2026-48527 HaxCMS has a stored Cross-Site Scripting (XSS) bypass in saveNode endpoint

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

CVE-2026-48527 HaxCMS has a stored Cross-Site Scripting (XSS) bypass in saveNode endpoint

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion

Summary The uploadViaURL path in the v1/v2 attachment API did not enforce NCATTACHMENTFIELDSIZE against the remote content-length or against the response stream. An authenticated user Editor+ could direct the server to download arbitrarily large files, exhausting disk space and causing denial of...

GHSA-99VC-2JX2-688P NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion

Summary The uploadViaURL path in the v1/v2 attachment API did not enforce NCATTACHMENTFIELDSIZE against the remote content-length or against the response stream. An authenticated user Editor+ could direct the server to download arbitrarily large files, exhausting disk space and causing denial of...

Cross-site Scripting (XSS)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Cross-site Scripting XSS in the search preview process. An attacker can execute arbitrary HTML or CSS in the authenticated editor interface ...

CVE-2026-42841

Grav CMS stores image attributes via Markdown media action parameters. Before 2.0.0-beta.2, an authenticated page editor could inject a JavaScript event handler by calling attribute(name, value) through image query parameters (e.g., ?attribute=onload,alert(...)). The attack results in a stored XS...

GHSA-R7FX-8G49-7HHR Grav CMS vulnerable to stored XSS via Markdown media attribute() action

Summary An authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The...

PT-2026-35523

🚨 New zero-day in pimcore | Detected by our AI SAST scanner and disclosed by Oscar Naveda. As a CNA, we assigned the ID CVE-2026-5362. Details: 🔗 https://t.co/iZiXYRAAcM. We have announced 232 CVEs to this date: 🔗 https://t.co/fgMrQcycLm https://t.co/gFxbxDglVo...

CVE-2026-31018

In Dolibarr ERP & CRM = 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the mail preview feature of the Event Log, where HTML content is rendered in an iframe without proper sandboxing. An attacker can execute arbitrary JavaScript in the context of a privileged user's browser by...

Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload

Duplicate Advisory This advisory has been withdrawn because it is been determined to not be a vulnerability. This link is maintained to preserve external references. Original Description Summary Kirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a...

PT-2026-28389

Name of the Vulnerable Software and Affected Versions Kirby CMS versions through 5.1.4 Description Kirby CMS through version 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service DoS via a malformed image upload. The application does not properly...

CVE-2026-29905

Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service DoS via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize function. When the system attempts to process this file for...

CVE-2026-29905

Kirby CMS (version 5.1.4 and earlier) is affected. An authenticated user with Editor permissions can trigger a persistent DoS by uploading a malformed image; PHP getimagesize() may return false, leading to a fatal TypeError during metadata/thumbnail processing and HTTP 500s. Public details in con...

EUVD-2025-208699

Raytha CMS is vulnerable to Stored XSS via FieldValues1.Value parameter in post editing functionality. Authenticated attacker with permissions to edit posts can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version...

NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

Summary An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. Details The TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content...

CVE-2026-27745

The SPIP interfacetraductionobjets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because...