432 matches found
Improper Encoding or Escaping of Output
Overview lxml-html-clean is a HTML cleaner from lxml project Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the hassneakyjavascript function. An attacker can cause external CSS to be loaded or execute scripts in certain browsers by injecting special...
EUVD-2026-9107
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the...
CVE-2026-28558 wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the...
Fedora 42 : roundcubemail (2026-d684b372f1)
The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-d684b372f1 advisory. Release 1.6.13 - Managesieve: Fix handling of string-list format values for date tests in Out of Office 10075 - Fix remote image blocking bypass via SVG...
CVE-2026-1640 Taskbuilder <= 5.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Project/Task Comment Creation
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions AJAX actions:...
WordPress plugin Taskbuilder – WordPress Project Management & Task Management 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added t...
[SECURITY] [DSA 6137-1] roundcube security update
------------------------------------------------------------------------- Debian Security Advisory DSA-6137-1 [email protected] https://www.debian.org/security/ Sebastien Delafond February 17, 2026 https://www.debian.org/security/faq -...
Debian dsa-6137 : roundcube - security update
The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6137 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6137-1 [email protected]...
Improper Restriction of Rendered UI Layers or Frames
Overview Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames in comments. An attacker can cause users to be redirected to a malicious page by injecting CSS that transforms the entire wiki interface into a clickable link area. Remediation Upgrad...
CVE-2026-26000
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in...
CVE-2026-26000
CVE-2026-26000 : XWiki Platform is vulnerable to CSS-injection in comments that can transform the entire wiki UI into a clickable link area leading to a malicious page. Affected versions are prior to 17.9.0, 17.4.6, and 16.10.13. The root cause is a comment-based CSS injection that enables a clic...
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in...
CVE-2026-26000
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in...
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in...
GHSA-74RH-C5RH-88VG XWiki vulnerable to click-jacking through CSS injection in comments
Impact It's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. All versions of XWiki are impacted by this kind of attack. Patches The problem has been patched not by preventing injecting CSS in comments, which is currently a featur...
SUSE CVE-2026-26079
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets CSS injection, e.g., because comments are mishandled...
PT-2026-7901
Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 17.9.0 XWiki Platform versions prior to 17.4.6 XWiki Platform versions prior to 16.10.13 Description The XWiki Platform is a generic wiki platform. A flaw exists where comments can be used to inject CSS,...
XWiki Platform 安全漏洞
The XWiki Platform is an open-source wiki platform designed for creating web collaboration applications. Versions of the XWiki Platform prior to 17.9.0, 17.4.6, and 16.10.13 contained security vulnerabilities. These vulnerabilities stemmed from the possibility of using CSS injection via comments,...
CVE-2026-26079
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets CSS injection, e.g., because comments are mishandled...
CVE-2026-26079
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets CSS injection, e.g., because comments are mishandled...