33 matches found
CVE-2026-48947
An improper access check allows privileged users to overwrite media files without editing permissions...
CVE-2026-48947 Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints
An improper access check allows privileged users to overwrite media files without editing permissions...
CVE-2026-48947
An improper access check allows privileged users to overwrite media files without editing permissions...
EUVD-2026-42069
An improper access check allows privileged users to overwrite media files without editing permissions...
PT-2026-56220
Name of the Vulnerable Software and Affected Versions Joomla! Core affected versions not specified Description An improper access check in the com media webservice endpoints allows privileged users to overwrite media files even if they lack the necessary editing permissions. Recommendations At th...
CVE-2026-7186 Fix stored XSS in URL dashboard widget via dangerous URI schemes
Stored cross-site scripting in the URL dashboard widget in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the...
PT-2026-47284
Stored cross-site scripting in the URL dashboard widget in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Projects component when displaying project tags and popovers in administrative detail views due to improper sanitization of user-supplied project names. An attacker can execute arbitrary scripts in the...
EUVD-2026-22357
October Rain has a Twig Sandbox Bypass via Collection Methods...
GHSA-M5QG-JC75-4JP6 October Rain has a Twig Sandbox Bypass via Collection Methods
A sandbox bypass vulnerability was identified in the optional Twig safe mode feature CMSSAFEMODE. Certain methods on the collect helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Impact - Bypass of Twig sandbox...
October Rain has a Twig Sandbox Bypass via Collection Methods
A sandbox bypass vulnerability was identified in the optional Twig safe mode feature CMSSAFEMODE. Certain methods on the collect helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Impact - Bypass of Twig sandbox...
Protection Mechanism Failure
Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the collect process. An attacker can gain unauthorized access to restricted template functionality by leveraging insufficient sandbox restrictions when authenticated with backend access and template editi...
BIT-DISCOURSE-2026-33426 Discourse users can edit or synonymize hidden tags they can't see
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, users with tag-editing permissions could edit and create synonyms for tags hidden in restricted tag groups, even if they lacked visibility into those tags. Versions 2026.3.0, 2026.2.1, and 2026.1....
CVE-2026-29176 Craft Commerce has Stored XSS in Inventory Location Name
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an...
CVE-2021-47788
WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code executi...
EUVD-2018-10822
Malware in sbrugna...
EUVD-2024-47762
Malicious code in bioql PyPI...
CVE-2025-55729 XWiki Remote Macros vulnerable to remote code execution using the ConfluenceLayoutSection macro
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can edit any page The...
PT-2025-33271
Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 5.0.0 Description: A stored Cross-Site Scripting XSS issue exists in the chart visualization feature. An authenticated user with chart editing permissions can inject a malicious payload into a column's label...
ezsystems/ezplatform-richtext allows access to external entities in XML
Impact This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity XXE injection, which might be able to read files on the server. To exploit this...