Masa CMS 输入验证错误漏洞

Masa CMS is a digital experience platform operated by Masa CMS organization. Masa CMS has a vulnerability related to input validation errors. This vulnerability stems from improper handling of relative URLs, which may allow attackers to redirect victims to sites controlled by external attackers...

EUVD-2026-24567

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

CVE-2026-33886

Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...

CVE-2026-33884

CVE-2026-33884 affects Statamic CMS (Laravel/Git-based). An authenticated Control Panel user with access to live preview could misuse a live preview token to access restricted content not intended for that token. Root cause: token-based live preview access bypasses content protection for unrelate...

CVE-2026-29113

Craft is a content management system CMS. Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an...

CVE-2026-32262 Craft CMS has a Path Traversal Vulnerability in AssetsController

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController-replaceFile method has a targetFilename body parameter that is used unsanitized in a deleteFile call before...

Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page

Summary A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions. !NOTE This is a separate...

CVE-2021-41573

Hitachi Content Platform Anywhere HCP-AW 4.4.5 and later allows information disclosure. If authenticated user creates a link to a file or folder while the system was running version 4.3.x or earlier and then shares the link and then later deletes the file or folder without deleting the link and...

CVE-2021-28052

A tenant administrator Hitachi Content Platform HCP may modify the configuration in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. Also, a tenant user non-administrator may view configuration in another tenant without authorization. Thi...

CVE-2023-53936

Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing...

EUVD-2021-14759

Malware in sbrugna...

EUVD-2008-5967

Malware in sbrugna...

EUVD-2021-28588

Malicious code in bioql PyPI...

CVE-2025-41061

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'dataAddonlayouts' and 'dataAddonlayoutsexcept' parameters in /apprain/developer/addons/update/uploadify...

CVE-2023-31903

GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file...

SAP ERP BW Business Content 代码注入漏洞

SAP ERP BW Business Content is a cloud-based e-commerce platform that helps companies create a personalized and seamless buying experience for their customers. SAP ERP BW Business Content suffers from a code injection vulnerability that can be exploited by an attacker to execute arbitrary code...

MAL-2024-1354 Malicious code in @content-platform/fadam-module (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 38b39e3ee36cc6bc7c45845d588a859e0f041b0ecbc3caaebd1ff022e1fe7132 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @content-platform/fadam-module (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 38b39e3ee36cc6bc7c45845d588a859e0f041b0ecbc3caaebd1ff022e1fe7132 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @content-platform/shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8483b2f250f1824837729cc5bf8f6fa9fe76e44cc5c0e9352b1112c8c83cd0db Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7-card Fakabao SQL Injection Vulnerability

7-card Fakabao is a content publishing platform. A SQL injection vulnerability exists in 7-card Fakabao 1.0build20230805 and classified as critical version and prior versions, which stems from an issue with an unknown function in shop/alipaynotify.php...