ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.2.0 contained security vulnerabilities. These vulnerabilities were caused by insufficient escaping of donation comment values by the Pledge Editor, which could lead to stored-xss attacks...

CVE-2026-40483 ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars. An authenticated user with Finance permissions can inject HTML attribute-breaking...

CVE-2026-40483 ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars. An authenticated user with Finance permissions can inject HTML attribute-breaking...

CVE-2026-40483

ChurchCRM prior to v7.2.0 is vulnerable to stored XSS via the Pledge Editor’s donation comment field, where unescaped input is placed into HTML input value attributes. An authenticated user with Finance permissions can inject attribute-breaking characters and event handlers, which are stored in t...

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection du...

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection in fxb.js, which does not properly handle closing delimiters for comment and CDATA values. The -- sequence in comment content and the sequence in CDATA sections can be coopted to close their respective sections early and...

XML Injection

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML comment from...

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML...

CVE-2026-4032

CodeColorer for WordPress is affected by a stored cross-site scripting vulnerability in the cc shortcode’s class attribute, affecting versions up to and including 0.10.1 due to insufficient input sanitization and output escaping. Exploitation requires comments to be enabled on the target post and...

WordPress plugin CodeColorer 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the commentDelete.json.php endpoint, which lacks proper validation of request origin and does not require a CSRF token. An...

GHSA-8QM8-G55H-XMQR WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

Summary objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check Origin/Referer. Because AVideo intentionally sets...

WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

Summary objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check Origin/Referer. Because AVideo intentionally sets...

WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion

Summary Multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently: 1. Cast/flip the...

CVE-2025-50228

Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery SSRF in User Evaluation, Message, and Comment modules...

CVE-2026-5837

A vulnerability was found in PHPGurukul News Portal Project 4.1. This affects an unknown part of the file /news-details.php. The manipulation of the argument Comment results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used...

Decidim's comments API allows access to all commentable resources

Impact The root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the /api endpoint. The /api endpoint is publicly available with the default configuration...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the user name field. An attacker can execute arbitrary code in the context of any user who passively visits a comment page by injecting malicious scripts. Details Cross-site scripting or XSS is a code...

CVE-2026-40038 Pachno 1.0.6 Stored Cross-Site Scripting via Multiple Parameters

Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, commentbody, articlecontent, description, and message parameters...

CVE-2026-23891

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting...