73 matches found
GHSA-268H-HP4C-CRQ3 Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
Summary Nodemailer constructs List- headers from the caller-provided list message option using internally prepared header values. The list..comment field is inserted into those prepared values without removing CR \r or LF \n characters. Because prepared headers bypass the normal header-value...
CVE-2026-7556
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2023-54351
CVE-2023-54351 : WordPress Sonaar Music Plugin 4.7 has a stored XSS vulnerability in the comment functionality. Unauthenticated attackers can submit JavaScript payloads via the comment parameter to wp-comments-post.php, which are stored and later executed in the browsers of users viewing the affe...
CVE-2026-46367
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...
EUVD-2026-11751
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary...
CVE-2025-70128
A Stored Cross-Site Scripting XSS vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using...
CVE-2025-70128
A Stored Cross-Site Scripting XSS vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using...
EUVD-2026-9851
Gogs: Stored XSS via data URI in issue comments...
CVE-2026-28397 NocoDB: Stored Cross-Site Scripting via Comments
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3...
CVE-2026-28397 NocoDB: Stored Cross-Site Scripting via Comments
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3...
Improper Restriction of Rendered UI Layers or Frames
Overview Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames in comments. An attacker can cause users to be redirected to a malicious page by injecting CSS that transforms the entire wiki interface into a clickable link area. Remediation Upgrad...
Improper Restriction of Rendered UI Layers or Frames
Overview Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames in comments. An attacker can cause users to be redirected to a malicious page by injecting CSS that transforms the entire wiki interface into a clickable link area. Remediation Upgrad...
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in...
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in...
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in...
PT-2026-7901
Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 17.9.0 XWiki Platform versions prior to 17.4.6 XWiki Platform versions prior to 16.10.13 Description The XWiki Platform is a generic wiki platform. A flaw exists where comments can be used to inject CSS,...
CVE-2019-25312
InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session...
CVE-2019-25312 InoERP 0.7.2 - Persistent Cross-Site Scripting
InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session...
PT-2026-7607
Name of the Vulnerable Software and Affected Versions InoERP version 0.7.2 Description InoERP version 0.7.2 has a persistent cross-site scripting issue in the comment section. Unauthenticated attackers can inject malicious scripts, such as JavaScript payloads, through comments. These scripts...
PT-2026-6740
Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. Attackers can post comments with embedded JavaScript through the 'content' parameter in add comment sql.php to execute...