CVE-2026-3495

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those...

CVE-2026-26202

Penpot before 2.13.2 is affected by an authenticated arbitrary-file-read via the create-font-variant RPC endpoint: supplying a local path as font data causes the server to store the file contents as a font asset. Any authenticated user with team edit permissions can read files accessible to the P...

CVE-2025-11440 JhumanJ OpnForm edit access control

A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called...

CVE-2025-11440 JhumanJ OpnForm edit access control

A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called...

EUVD-2017-1255

Malware in sbrugna...

EUVD-2017-1256

Malware in sbrugna...

EUVD-2023-2808

Malicious code in bioql PyPI...

EUVD-2023-1195

Malicious code in bioql PyPI...

EUVD-2022-2053

Malicious code in bioql PyPI...

CVE-2023-29510

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged...

CVE-2023-37910

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any document can be the use...

CVE-2022-29547

The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the target page. This could lead to an unauthorised or blocked user being able to edit a page...

DRUPAL-CONTRIB-2025-051

This module enables you to add a filter to text formats Full HTML, Filtered HTML, which will remove every iframe where the "src" is not on the allowlist. The module doesn't sufficiently filter these iframes in certain situations. This vulnerability is mitigated by the fact that an attacker must b...

Cross-site Scripting (XSS)

Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via a Link field. An attacker with edit access via core web services, or a contrib or custom module...

DRUPAL-CORE-2025-004

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit acce...

DRUPAL-CONTRIB-2025-025

This module can be used to render Open API Documentation using the RapiDoc library. The module provides a custom formatter for link fields. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal cor...

Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024

This module adds a formatter for link fields that displays the current entity with another view mode inside the link. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal core has been released bu...

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit acce...

Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026

Formatter Suite provides a suite of field formatters to help present numbers, dates, times, text, links, entity references, files, and images. The module provides a custom formatter for link fields. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site...

PT-2024-37429 · WordPress · Unlimited Elements For Elementor

Name of the Vulnerable Software and Affected Versions: The Unlimited Elements For Elementor plugin versions up to, and including, 1.5.112 Description: The issue is related to Stored Cross-Site Scripting via the username parameter due to insufficient input sanitization and output escaping. This...