WordPress plugin App Builder – Create Native Android & iOS Apps On The Flight 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added to th...

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

CVE-2026-28436 Frappe: Stored XSS in avatar_macro.html

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/packageskill.py a local helper script used when authors package skills previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory...

CVE-2023-31223

Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars...

@oku-ui/primitives (>=0.0.1 <=0.6.1) potentially affected by unknown CVE via @oku-ui/avatar (=0.6.1)

@oku-ui/avatar NPM version =0.6.1 is affected by a known vulnerability. The following packages have a transitive dependency on @oku-ui/avatar and may be impacted: - @oku-ui/primitives =0.0.1, =0.6.1 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191251...

CVE-2025-56515

CVE-2025-56515 affects Fiora chat application 1.0.0. The issue is in the user avatar SVG upload: content is not validated, allowing SVGs with foreignObject, iframe elements and JavaScript event handlers (e.g., onmouseover) to be uploaded and stored. When rendered, these SVGs execute arbitrary Jav...

Linux Distros Unpatched Vulnerability : CVE-2019-13376

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking...

CVE-2025-56761

Memos 0.22 is vulnerable to Stored Cross site scripting XSS vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XS...

CVE-2022-29020

ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar...

Grafana Code Issues Vulnerabilities

Grafana is a set of open source monitoring tools from Grafana Labs that provide a visual monitoring interface. The tool is primarily used to monitor and analyze Graphite, InfluxDB, and Prometheus, among others. A remote code execution vulnerability exists in the avatar feature in Grafana versions...

CVE-2018-1354

An improper access control vulnerability in Fortinet FortiManager 6.0.0, 5.6.5 and below versions, FortiAnalyzer 6.0.0, 5.6.5 and below versions allows a regular user edit the avatar picture of other users with arbitrary content...

PHP-Nuke 5.x/6.0 Avatar HTML Injection Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/6750/info A problem with PHP-Nuke could allow remote users to execute arbitrary code in the context of the web site. The problem is in the lack of sanitization of some types of input. PHP-Nuke does not sanitize code...

XSS in PBLang 4.65 Profile.php/UCP.php

Who's got the magic stick? It sure as hell ain't 50 Cent. Excuse me for posting again within minutes but I did not properly check the other forms. In UCP.php, when editing your profile, in several fields you can inject code into the page, just as in the SendPm.php. EX: Input table: "URL"...