CVE-2025-57543

Cross Site scripting vulnerability XSS in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts...

CVE-2026-32774 Vulnogram - Stored Cross-Site Scripting via Comment Hypertext

Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers...

CVE-2026-32774

CVE-2026-32774 affects Vulnogram 1.0.0 and describes a stored XSS vulnerability in comment hypertext handling. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims’ browsers. The root cause is stored cross-site scripting in HTML comments; exploitati...

CVE-2026-32774 Vulnogram - Stored Cross-Site Scripting via Comment Hypertext

Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers...

EUVD-2026-11742

wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like contact-form-7 or usermeta in comments, which are executed server-side...

EUVD-2026-11740

wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfilteredhtml capabilities can inject JavaScript...

EUVD-2026-11749

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...

CVE-2026-22202

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to...

CVE-2026-22204

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...

CVE-2026-22191

Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by...

CVE-2026-22183

wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfilteredhtml capabilities can inject JavaScript...

CVE-2026-29079

Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting th...

CVE-2026-22204 wpDiscuz before 7.6.47 - Unsanitized Cookie Email Used as wp_mail() Recipient

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...

CVE-2026-22204

wpDiscuz prior to 7.6.47 has an email header injection due to unsanitized comment_author_email cookie. An attacker can craft a cookie value that, after urldecode() is processed by wp_mail(), injects headers or alters recipients. The exact impact and exploit status are not elaborated beyond the de...

CVE-2026-22204

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...

CVE-2026-22202 wpDiscuz before 7.6.47 - Destructive GET Action Deletes All Comments by Email

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to...

CVE-2026-22202

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to...

CVE-2026-22202

wpDiscuz before 7.6.47 is affected by a cross-site request forgery that lets an attacker delete all comments for a target email by triggering a crafted GET request containing a valid HMAC key. The attacker can embed the deletecomments action URL in image tags or other resources to cause permanent...

CVE-2026-22191 Beghelli Sicuro24 SicuroWeb AngularJS Template Injection

Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by...

CVE-2026-22191

Beghelli Sicuro24 SicuroWeb is affected by an AngularJS 1.5.2-based template injection chain that can lead to arbitrary JavaScript execution in operator browser sessions. The root cause is improper handling of untrusted input in AngularJS template contexts, combined with an end-of-life AngularJS ...