EUVD-2026-11750

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like alert1 in the custom CSS setting to execute arbitrary JavaScript i...

EUVD-2026-11743

wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in...

CVE-2026-22209

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like alert1 in the custom CSS setting to execute arbitrary JavaScript i...

CVE-2026-22192

Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access...

CVE-2026-22209

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like alert1...

CVE-2026-22192

Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access...

CVE-2026-22192 Voltronic Power SNMP Web Pro 1.1 Authentication Bypass via localStorage

Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access...

CVE-2026-22192 Voltronic Power SNMP Web Pro 1.1 Authentication Bypass via localStorage

Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access...

CVE-2026-22192

Technical details are not publicly available in the provided documents. Monitor for updates.

PT-2026-25145

Name of the Vulnerable Software and Affected Versions thingino-firmware versions prior to commit e3f6a41 wpDiscuz versions prior to 7.6.47 Description thingino-firmware contains an unauthenticated operating system command injection issue in the WiFi captive portal CGI script. This allows remote...

📄 Invision Community 5.0.6 customCss Expression Injection

Invision Community version 5.0.6 customCss expression injection proof of concept exploit written in PHP. ============================================================================================================================================= | Title : Invision Community 5.0.6 customCss...

Exploit for Improper Neutralization of Special Elements Used in a Template Engine in Invisioncommunity

CVE-2025-47916 - Invision Community Remote Code Execution RCE...

EUVD-2021-11503

Malware in sbrugna...

EUVD-2022-15832

Malicious code in bioql PyPI...

CVE-2021-24591

The Highlight WordPress plugin before 0.9.3 does not sanitise its CustomCSS setting, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

📄 Invision Community 5.0.6 CustomCss Remote Code Execution

Invision Community versions 5.0.6 and below contain a remote code execution vulnerability in the theme editors customCss endpoint. By crafting a specially formatted content parameter with a expression="…" construct, arbitrary PHP can be evaluated. This Metasploit module leverages that flaw to...

Invision Community 5.0.6 customCss RCE

Invision Community up to and including version 5.0.6 contains a remote code execution vulnerability in the theme editor's customCss endpoint. By crafting a specially formatted content parameter with a expression="..." construct, arbitrary PHP can be evaluated. This module leverages that flaw to...

📄 Invision Community 5.0.6 Remote Code Execution

Invision Community versions 5.0.0 through 5.0.6 suffer from a customCss related remote code execution vulnerability. --------------------------------------------------------------------------- Invision Community = 5.0.6 customCss Remote Code Execution Vulnerability...

CVE-2022-0780

The SearchIQ WordPress plugin before 3.9 contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siqajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss paramet...

WordPress plugin 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. The platform supports personal blogging sites on PHP and MySQL servers. WordPress plugin is an application plugin. WordPress SearchIQ plugin has...