CVE-2026-40544

SOPlanning is affected by a Stored XSS in the backup feature. An authenticated attacker with backup access can upload a crafted ZIP containing a malicious user.csv; the injected script executes in victims’ browsers when they click Edit on the malicious backup. Affected: SOPlanning v1.55 and earli...

WordPress plugin Contact Form Maker SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2026-6229

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the rendercsvdata function, which can be bypassed by including 'docs.google.com/spreadsheets' in...

CVE-2026-6229

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the rendercsvdata function, which can be bypassed by including 'docs.google.com/spreadsheets' in...

EUVD-2026-26757

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the rendercsvdata function, which can be bypassed by including 'docs.google.com/spreadsheets' in...

CVE-2026-6229

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the rendercsvdata function, which can be bypassed by including 'docs.google.com/spreadsheets' in...

WordPress plugin Royal Elementor Addons 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

PT-2026-36590

Name of the Vulnerable Software and Affected Versions Royal Elementor Addons versions prior to 1.7.1058 Description The Royal Elementor Addons plugin for WordPress contains a Server-Side Request Forgery SSRF issue. This occurs because the render csv data function does not sufficiently validate...

CVE-2026-24447

Movable Type 7.x and 8.4.x are affected by CVE-2026-24447. A flaw in CSV handling allows specially crafted input data to produce a malicious CSV file that, when opened by a user, can execute code in the user’s environment. The PT-2026-6193 entry explicitly identifies Movable Type 7.x and 8.4.x (n...

CVE-2025-14610

CVE-2025-14610 : The WordPress plugin TableMaster for Elementor (versions up to and including 1.3.6) is vulnerable to authenticated SSRF via the csv_url parameter in the Data Table widget. An attacker with Author-level access or higher can trigger web requests to arbitrary locations (including lo...

WordPress plugin WP Import – Ultimate CSV XML Importer 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. WordPress plugin WP...

PT-2025-39315

Name of the Vulnerable Software and Affected Versions csvtojson versions prior to 2.0.10 Description The csvtojson package has a flaw due to inadequate sanitization of nested header names during parsing. Processing CSV input with crafted header fields referencing prototype chains like using proto...

CVE-2024-51977

An unauthenticated attacker who can access either the HTTP service TCP port 80, the HTTPS service TCP port 443, or the IPP service TCP port 631, can leak several pieces of sensitive information from a vulnerable device. The URI path /etc/mntinfo.csv can be accessed via a GET request and no...

CVE-2020-8518

Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution...

CVE-2019-15127

REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file...

CVE-2024-51094

An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the injected payload will be...

SSRF in CSV Datasource Plugin

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare hos...

CVE-2022-3604

The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection...

WordPress Import and export users and customers plugin跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. The WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in the WordPress Import and export users and customers plugin...

CVE-2022-1255

The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues...