CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

CVE-2019-18453

An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. It has Insecure Permissions...

Moodle PDF Annotator plugin 安全漏洞

Moodle PDF Annotator plugin is an open source teaching plugin for Moodle. A security vulnerability exists in Moodle PDF Annotator plugin version 1.5 release 9, which stems from the public comments feature not properly filtering input and could lead to a stored cross-site scripting attack...

GHSA-32MF-57H2-64X9 XWiki Rendering is vulnerable to RCE attacks when processing nested macros

Impact The default macro content parser didn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWi...

CVE-2021-30227

Cross Site Scripting XSS vulnerability in the article comments feature in emlog 6.0...

Cross-Site Scripting (XSS)

yeswiki/yeswiki is vulnerable to stored cross-site scripting XSS. The vulnerability is due to improper input sanitization in the comments feature, allowing obfuscated JavaScript payloads to bypass filters and execute in users' browsers...

GHSA-59X8-CVXH-3MM4 YesWiki Stored XSS Vulnerability in Comments

Summary A stored cross-site scripting XSS vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment. The XSS occurs because the...

PT-2025-18180 · Yeswiki · Yeswiki

Name of the Vulnerable Software and Affected Versions: YesWiki versions prior to 4.5.4 Description: A stored cross-site scripting XSS issue was found in the comments feature of YesWiki, a wiki system written in PHP. This issue allows a malicious actor to inject JavaScript payloads that are stored...

YesWiki 安全漏洞

YesWiki is a wiki system written in PHP by the French organization YesWiki. It is used to create and manage websites in a collaborative manner. A security vulnerability exists in versions of YesWiki prior to 4.5.4, which stems from insufficient input cleanup for the comments feature and could lea...

PT-2024-29454 · Unknown · Processwire

Name of the Vulnerable Software and Affected Versions: ProcessWire version 3.0.229 Description: A Cross Site Request Forgery issue allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality. Recommendations: For version 3.0.229, update to a newer...

NocoDB Cross-Site Scripting Vulnerability

NocoDB is an open source Airtable replacement. Convert any MySql, PostgreSql, Sql Server, Sqlite, and MariaDb into a smart spreadsheet.A cross-site scripting vulnerability exists in versions of NocoDB prior to 0.91.7, which stems from a lack of data validation filtering of user-supplied data and...

NocoDB 跨站脚本漏洞

NocoDB is an open source Airtable replacement. Convert any MySql, PostgreSql, Sql Server, Sqlite, and MariaDb into a smart spreadsheet.A cross-site scripting vulnerability exists in versions of NocoDB prior to 0.91.7, which stems from a lack of data validation filtering of user-supplied data and...

Attackers Exploit Flaw in Google Docs’ Comments Feature

Attackers are using the “Comments” feature of Google Docs to send malicious links in a phishing campaign targeted primarily at Outlook users, researchers have discovered. Researchers from email collaboration and security firm Avanan, a CheckPoint company, first observed “a new, massive wave of...

XWiki 跨站脚本漏洞

Xwiki is a Wiki platform for creating Web collaboration applications from the French company Xwiki. XWiki version 12.10.2 contains a cross-site scripting vulnerability that could be exploited to launch a cross-site scripting attack against a target via the SVG document upload comment feature...

Jspxcms Comments Feature Has XSS Vulnerability

Jspxcms is an open source, Java-based content management system CMS. An XSS vulnerability exists in the comments feature of Jspxcms version 9.0.0, which stems from the failure to encode user-submitted parameters as html entities and to escape special characters, which can be exploited by an...

CVE-2015-5667

Cross-site scripting XSS vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment...

UBUNTU-CVE-2015-5667

Cross-site scripting XSS vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment...

PT-2008-4758 · Pure · Pure Software Lore

Name of the Vulnerable Software and Affected Versions: Pure Software Lore versions prior to 1.7.0 Description: The issue concerns multiple cross-site scripting XSS vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related ...