36 matches found
CVE-2022-0535
The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
CVE-2025-64827
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...
CVE-2025-52624
A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0...
EUVD-2016-9207
Malware in sbrugna...
EUVD-2020-19221
Malware in sbrugna...
EUVD-2022-15987
Malicious code in bioql PyPI...
EUVD-2025-18180
Malicious code in bioql PyPI...
EUVD-2024-49927
Malicious code in bioql PyPI...
PT-2025-32422 · Workos · Authkit
Name of the Vulnerable Software and Affected Versions: @workos-inc/authkit-remix versions 0.14.1 and below Description: The AuthKit library for Remix exposed sensitive authentication artifacts – specifically sealedSession and accessToken – by returning them from the authkitLoader, causing them to...
Updated rootcerts, nss & firefox packages fix security vulnerabilities
CVE-2025-6424: A use-after-free in FontFaceSet resulted in a potentially exploitable crash. CVE-2025-6425: An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private...
Mozilla Thunderbird < 128.12
The version of Thunderbird installed on the remote Windows host is prior to 128.12. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-55 advisory. - The executable file warning did not warn users before opening files with the terminal extension. This bug only...
CVE-2025-49189 Cookie missing HttpOnly flag
The HttpOnlyflag of the session cookie "@@" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies...
CVE-2023-0021
Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. These endpoints are normally exposed...
CVE-2023-2757
The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and output escaping. This...
CVE-2022-3440
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting...
CVE-2022-0449
The Flexi WordPress plugin before 4.20 does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard, leading to a Reflected Cross-Site Scripting...
CVE-2021-24768
The WP RSS Aggregator WordPress plugin before 4.19.2 does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfilteredhtml capability is disallowed, which could lead to Cross-Site Scripting issues...
CVE-2020-5223
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting XSS vulnerability. The vulnerability has been fixed in PrivateBin...
CVE-2024-8617
The Quiz Maker WordPress plugin is vulnerable prior to version 6.5.9.9 due to insufficient sanitization/escaping of certain settings, enabling Stored XSS for high-privilege users (e.g., admins) even when unfiltered_html is disallowed (including multisite). Affected versions include 6.5.9.8 and ea...
CVE-2025-3643
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting XSS risk...