43675 matches found
Grav CMS cross-site scripting vulnerability
Grav CMS is an open-source file-based content management system developed by Grav. Grav CMS 1.9.18 contains a cross-site scripting vulnerability; this vulnerability stems from a persistent cross-site scripting in the page title field, which may allow for the execution of malicious scripts...
Alibaba Cloud Linux 3 : 0015: openssl (ALINUX3-SA-2026:0015)
The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2026:0015 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-9230: Issue summary: An application trying...
CVE-2020-36932
SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded...
CVE-2025-71177
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...
LavaLite CMS affected by a stored cross-site scripting vulnerability
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...
CVE-2021-47906
BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users...
CVE-2025-71177
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...
CVE-2025-71177
LavaLite CMS ≤ 10.1.0 is reported to have a stored XSS vulnerability in package creation and package search. Authenticated users can inject HTML/JavaScript into the Package Name or Description fields, which is stored and later rendered without proper output encoding in search results, enabling po...
CVE-2025-71177 LavaLite CMS <= 10.1.0 Stored XSS via Package Creation and Search
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...
CVE-2025-71177 LavaLite CMS <= 10.1.0 Stored XSS via Package Creation and Search
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...
Malicious code in public-site-cms-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ab3fee105c88cb2417b79efd376d25e9f23afaaef354d5f154635820c702079 The package public-site-cms-ui was found to contain malicious code...
MAL-2026-483 Malicious code in public-site-cms-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ab3fee105c88cb2417b79efd376d25e9f23afaaef354d5f154635820c702079 The package public-site-cms-ui was found to contain malicious code...
PT-2026-4535
Name of the Vulnerable Software and Affected Versions Typemill versions 2.19.1 and below Description Typemill is a flat-file, Markdown-based CMS for informational documentation websites. A reflected Cross-Site Scripting XSS issue exists in the login error view template login.twig. The username...
Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue
Summary An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to store...
CVE-2021-47860
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote cod...
CVE-2021-47778
GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server...
PT-2026-7943
Name of the Vulnerable Software and Affected Versions Solspace Freeform plugin for Craft CMS versions 5.0 through 5.14.6 Description A low-privilege authenticated user with form creation/editing permissions can inject arbitrary HTML and JavaScript code into the Craft Control Panel builder and...
Exploit for Cross-site Scripting in Exponentcms Exponent_Cms
Synthetic Test Case: CVE-2017-8085 CWE: CWE-79 Origin...
CVE-2021-47870
GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting XSS vulnerability. The plugin attempts to sanitize user input using htmlspecialchars, but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary...
CVE-2021-47870
GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting XSS vulnerability. The plugin attempts to sanitize user input using htmlspecialchars, but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary...