3571 matches found
EUVD-2026-45011
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is heap exposure in nested MIME comment parsing. An authenticated IMAP user could craft an email message containing an RFC 822 comment ending with a backslash. When parsing the message, the server would read past the...
CVE-2026-59860
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.3, Kiota is affected by a code-generation injection vulnerability in the C XML documentation-comment sink the description, externalDocs label, and externalDocs link fields emitted as /// … comments. When text from an OpenAPI...
CVE-2026-59862 Kiota: Code Generation Literal Injection in the Python Generator
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Python generator let attacker-controlled enum value descriptions from x-ms-enum.values.description flow through KiotaBuilder.SetEnumOptions into Documentation.DescriptionTemplate and...
WordPress Core <6.5.2 - Cross-Site Scripting
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. id: CVE-2024-4439 info: name: WordPress Core 6.5.2 - Cross-Site Scripting author: nqdung2002 severity: hi...
Show all comments < 7.0.1 - Cross-Site Scripting
The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. id: CVE-2022-4295 info: name: Show all commen...
CVE-2026-47088
Cyrus IMAPD
EUVD-2026-43288
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...
CVE-2026-12273
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...
CVE-2026-12273 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...
CVE-2026-12273
The CVE-2026-12273 entry concerns Tutor LMS for WordPress (MITRE CVE-2026-12273). Affected component: Tutor LMS WordPress plugin prior to version 3.9.13. Description details a lack of authorization checks and post-target validation in a comment-creation handler, resulting in pre-approved comments...
EUVD-2026-43130
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content and User Biographical Info in all versions up to, and including, 1.4.112 due to insufficient input sanitization and output escaping. This makes it possibl...
[SECURITY] Fedora 43 Update: perl-CSS-Minifier-XS-0.15-1.fc43
'CSS::Minifier::XS' is a CSS "minifier". It's designed to remove unnecessary white-space and comments from CSS files, while also not breaking the CSS. 'CSS::Minifier::XS' is similar in function to 'CSS::Minifier', but is substantially faster as it's written in XS and not just pure Perl...
PT-2026-57027
Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.6 Description An issue exists in the erasespamedcomments wiki action, located in actions/EraseSpamedCommentsAction.php, which allows unauthenticated users to permanently delete arbitrary wiki pages. The action...
CVE-2026-11798
The CVE concerns the WordPress plugin Social Share, Social Login and Social Comments Plugin – Super Socializer . It is vulnerable to Reflected Cross-Site Scripting via the parameter heateor_mastodon_share in all versions up to and including 7.14.5 , caused by insufficient input sanitization and o...
[SECURITY] Fedora 43 Update: perl-JavaScript-Minifier-XS-0.16-1.fc43
JavaScript::Minifier::XS is a JavaScript "minifier"; it's designed to remove unnecessary white space and comments from JavaScript files without breaking the JavaScript...
[SECURITY] Fedora 44 Update: perl-JavaScript-Minifier-XS-0.16-1.fc44
JavaScript::Minifier::XS is a JavaScript "minifier"; it's designed to remove unnecessary white space and comments from JavaScript files without breaking the JavaScript...
CVE-2026-14740 DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byt...
PT-2026-56062
Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.65.1 Description Langroid is a framework for building large-language-model-powered applications. The SQLChatAgent component implements a SQL-injection mitigation that uses a raw-text regex blocklist DANGEROUS SQL...
CVE-2026-9148 Comments <= 7.6.56 - Unauthenticated Stored Cross-Site Scripting via 'Website' Field
The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor function, which interpolates the stored commentauthorurl...
CVE-2026-9148
The Comments – wpDiscuz plugin for WordPress (affected: versions up to 7.6.56) is vulnerable to Stored XSS via the guest commenter field Website. The root cause is insufficient output escaping in getCommentAuthor(), which interpolates the stored comment_author_url directly into single-quoted HTML...