2670 matches found
CVE-2026-29048 HumHub: XSS in Button component
HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encoding at several points within the software, malicious scripts could be injected and executed in the...
CVE-2026-29048 HumHub: XSS in Button component
HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encoding at several points within the software, malicious scripts could be injected and executed in the...
CVE-2026-29048 HumHub: XSS in Button component
HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encoding at several points within the software, malicious scripts could be injected and executed in the...
CVE-2026-29048
HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encoding at several points within the software, malicious scripts could be injected and executed in the...
HumHub 跨站脚本漏洞
HumHub is an open-source social networking software developed using the Yii PHP framework. Version HumHub 1.18.0 contains a cross-site scripting vulnerability. This vulnerability stems from inconsistent output encoding in the Button component, which may allow malicious scripts to be injected and...
PT-2026-23656
Name of the Vulnerable Software and Affected Versions HumHub version 1.18.0 Description HumHub is an Open Source Enterprise Social Network. A cross-site scripting issue exists in the Button component due to inconsistent output encoding. This allows for the injection and execution of malicious...
CVE-2025-14142
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2026-28415 Gradio has Open Redirect in OAuth Flow
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...
EUVD-2025-208136
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2025-14142
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2025-14142
CVE-2025-14142 refers to the WordPress plugin Electric Enquiries, affected up to and including version 1.1. It enables a Stored Cross-Site Scripting (XSS) via the button attribute of the electric-enquiry shortcode, allowing authenticated attackers with Contributor-level access and above to inject...
CVE-2025-14142 Electric Enquiries <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button' Shortcode Attribute
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2025-14142 Electric Enquiries <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button' Shortcode Attribute
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2025-14040
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in th...
PT-2026-22328
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
WordPress Electric Enquiries plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'button' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin Electric Enquiries versions = 1.1...
GHSA-4QGR-4H56-8895 Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
Summary Vikunja is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While and are...
Malicious code in vl-ui-button (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e34ef0af8a8e8cc96afd0941b0fe2a5259eb4d2cf73564c5dde8b97a2bdf766 The package vl-ui-button was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-992 Malicious code in vl-ui-button (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e34ef0af8a8e8cc96afd0941b0fe2a5259eb4d2cf73564c5dde8b97a2bdf766 The package vl-ui-button was found to contain malicious code. Source: ossf-package-analysis...
CVE-2026-27474
SPIP before 4.4.9 allows Cross-Site Scripting XSS in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappeantixss function was not systematically applied to input, form, button, and anchor a HTML tags, allowing an attacker to inject malicious scripts through these element...