CVE-2026-11369

The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...

Show all comments < 7.0.1 - Cross-Site Scripting

The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. id: CVE-2022-4295 info: name: Show all commen...

WordPress Core <6.5.2 - Cross-Site Scripting

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. id: CVE-2024-4439 info: name: WordPress Core 6.5.2 - Cross-Site Scripting author: nqdung2002 severity: hi...

TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments

Impact Stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. Patches Patched by validating decoded mce:protected content against configured protect...

GHSA-V98H-VMPC-FPQV TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments

Impact Stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. Patches Patched by validating decoded mce:protected content against configured protect...

EUVD-2026-32923

TinyMCE Cross-Site Scripting XSS vulnerability through mce:protected comments...

CVE-2026-7385

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...

CVE-2026-38569

HireFlow v1.2 is vulnerable to Cross Site Scripting XSS in candidatedetail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add...

CVE-2026-6041

The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' buzzcommentsavatarimage setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2026-4409

The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the...

CVE-2026-4032

The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in 'cc' comment shortcode in versions up to, and including, 0.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-40928

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...

CVE-2026-40927

Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0...

CVE-2026-5940

Calling a function that triggers a UI refresh after removing comments via a script may access an invalidated object, leading to program crashes...

CVE-2026-42749

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types Remove comments comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types Remove comments: from n/a through = 1.3.0...

GHSA-JF3G-4GWG-4H66 NocoDB: Stored Cross-Site Scripting via Row Comments

Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. Details The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered...

NocoDB: Stored Cross-Site Scripting via Row Comments

Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. Details The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered...

EUVD-2026-34827

The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...

CVE-2026-11369 IDOR in Comment API Allows Cross-Process Comment Read and Write

The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...

PT-2026-47081

Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. Details The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered...