PT-2026-26807

The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the countdown settings content function. This makes it possible for unauthenticated attackers to update the plugin settings...

CVE-2026-31798 JumpServer Improper Certificate Validation in Custom SMS API Client

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

CVE-2018-25116 MyBB Thread Redirect Plugin 0.2.1 - Cross-Site Scripting

MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution...

EUVD-2019-7582

Malware in sbrugna...

EUVD-2025-31098

Malicious code in bioql PyPI...

EUVD-2022-24856

Malicious code in bioql PyPI...

EUVD-2025-10042

Malicious code in bioql PyPI...

CVE-2025-59838

Monkeytype is a minimalistic and customizable typing test. In versions 25.36.0 and prior, improper handling of user input when loading a saved custom text results in XSS. This issue has been fixed in version 25.44.0...

PT-2025-39404

Name of the Vulnerable Software and Affected Versions Monkeytype versions prior to 25.36.0 Description Improper handling of user input when loading a saved custom text can lead to cross-site scripting XSS. Recommendations Update to a version later than 25.36.0...

CVE-2022-1564

The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

tarteaucitron.js allows prototype pollution via custom text injection

A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potenti...

GHSA-4HWX-XCC5-2HFC tarteaucitron.js allows prototype pollution via custom text injection

A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potenti...

CVE-2025-31475

CVE-2025-31475 affects tarteaucitron.js (prior to 1.20.1). The addOrUpdate function did not properly validate inputs, allowing an attacker with access to source or CMS plugins to perform prototype pollution, potentially modifying core JavaScript behavior, causing data corruption, crashes, or unin...

CVE-2025-31475 tarteaucitron.js allows prototype pollution via custom text injection

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code ...

CVE-2023-6701

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...

How to add custom text or a disclaimer to a login schema

How to add a custom text / Disclaimer to the XML file of a login schema...

KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

A proof-of-concept PoC has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux,...

CVE-2022-1326

The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

WordPress Form Maker By 10Web跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress Form Maker By 10Web is vulnerable to a cross-site scripting vulnerability that stems from...

CVE-2022-1564

The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...