PT-2026-24367

Name of the Vulnerable Software and Affected Versions PluXml versions 5.8.22 and earlier Description A Stored Cross-Site Scripting XSS issue exists in the PluXml article comments feature. The application does not properly sanitize or validate user-supplied input in the link field of a comment. An...

CVE-2025-70129

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. T...

CVE-2025-70128

A Stored Cross-Site Scripting XSS vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using...

PT-2026-24612

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server audit events variable configured with QUERY DCL, QUERY DDL, or QUERY DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen — or hash style comments, the stateme...

CVE-2025-70128

A Stored Cross-Site Scripting XSS vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using...

PluXml 安全漏洞

PluXml is an open-source, free content management system developed by PluXml. It works without the need for a database. PluXml versions 5.8.22 and earlier contained security vulnerabilities. These vulnerabilities stemmed from insufficient cleaning or validation of user inputs related to the artic...

PT-2026-24368

Name of the Vulnerable Software and Affected Versions PluXml versions 5.8.22 and earlier Description When the anti-spam captcha functionality is enabled, PluXml generates captcha challenges in a format that can be automatically recognized. This allows automated scripts to bypass the anti-spam...

PT-2026-24610

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server audit events variable configured with QUERY DCL, QUERY DDL, or QUERY DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen — or hash style comments, the stateme...

PluXml 安全漏洞

PluXml is an open-source, free content management system developed by PluXml. It works without the need for a database. PluXml versions 5.8.22 and earlier have security vulnerabilities. These vulnerabilities stem from the exposure of details related to the anti-spam CAPTCHA function. This could...

CVE-2025-70129

CVE-2025-70129 affects PluXml versions 5.8.22 and earlier, where the anti spam-captcha mechanism can be bypassed. The captcha format is exposed in articles with comments and anti spam-captcha enabled, revealing fields such as capcha-letter, capcha-word, and capcha-token. An automated script can c...

CVE-2025-70129

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. T...

CVE-2025-70129

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. T...

CVE-2025-70128

Summary: CVE-2025-70128 describes a Stored XSS in PluXml, affecting versions up to 5.8.22, in the article comments feature. Affected component: PluXml core/admin/comments.php. Root cause: User-supplied input in the comment’s link field is not properly sanitized/validated, allowing malicious [remo...

OpenClaw: system.run allow-always persistence included shell-commented payload tails

OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using...

GHSA-9Q2P-VC84-2RWM OpenClaw: system.run allow-always persistence included shell-commented payload tails

OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using...

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the improper sanitization of HTML anchor tags in the comment and issue description functionality. An attacker can execute arbitrary JavaScript in the context of another user by injecting malicious links...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the improper sanitization of HTML anchor tags in the comment and issue description functionality. An attacker can execute arbitrary JavaScript in the context of another user by injecting malicious links...

EUVD-2026-9878

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...