CVE-2026-5070

The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template. This makes it possible for authenticated attackers, with contributor-level access and...

CVE-2026-33669

SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue...

CVE-2026-33669

SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue...

SiYuan has Arbitrary Document Reading within the Publishing Service

Details Document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. PoC python !/usr/bin/env python3 """SiYuan /api/block/getChildBlocks 文档内容读取""" import requests import json import sys def...

EUVD-2026-10091

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the gspbelreusableload AJAX handler. The handler accepts an...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl CVE-2025-47287

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to tornado-6.4.2-cp38-abi3-manylinux25x8664.manylinux1x8664.manylinux217x8664.manylinux2014x8664.whl CVE-2025-47287. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details...

WordPress Genesis Blocks plugin <= 3.1.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Block Content vulnerability

AuthenticatedContributor+ Stored Cross-Site Scripting via Block Content vulnerability discovered by Ngô Thiên An ancorn in WordPress Plugin Genesis Blocks versions = 3.1.2...

CVE-2023-2964

The Simple Iframe WordPress plugin before 1.2.0 does not properly validate one of its WordPress block attribute's content, which may allow users whose role is at least that of a contributor to conduct Stored Cross-Site Scripting attacks...

CVE-2021-31005

Description: A logic issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15, macOS Monterey 12.0.1. Turning off "Block all remote content" may not apply to all remote content types...

DRUPAL-CONTRIB-2021-022

This module provides a revision UI for Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions...

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022

This module provides a revision UI for Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions...

DRUPAL-CONTRIB-2021-017

This module provides a revision UI to Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions...

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017

This module provides a revision UI to Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions...

Cross site scripting

Cross-site scripting XSS vulnerability in the Simple Subscription module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer blocks" permission to inject arbitrary web script or HTML via vectors related to block content...

CVE-2015-4367

Cross-site scripting XSS vulnerability in the Simple Subscription module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer blocks" permission to inject arbitrary web script or HTML via vectors related to block content...

Cross site request forgery (csrf)

The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request...