15586 matches found
WordPress Admin Font Editor <=1.8 - Cross-Site Scripting
WordPress Admin Font Editor 1.8 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...
WordPress Site Editor <=1.1.1 - Local File Inclusion
WordPress Site Editor through 1.1.1 allows remote attackers to retrieve arbitrary files via the ajaxpath parameter to editor/extensions/pagebuilder/includes/ajaxshortcodepattern.php. id: CVE-2018-7422 info: name: WordPress Site Editor =1.1.1 - Local File Inclusion author: LuskaBol,0x240x23elu...
LG Simple Editor <= v3.21.0 - Command Injection
LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within t...
Moodle LTI module Reflected - Cross-Site Scripting
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's brows...
EUVD-2026-43626
The AI Engine WordPress plugin before 3.5.5 does not sanitize a user-supplied filename before using it to write a downloaded file, allowing authenticated users with editor-level access to write attacker-controlled bytes to an arbitrary location on the server via path traversal...
CVE-2026-12511 AI Engine < 3.5.5 - Editor+ Arbitrary File Write via Path Traversal
The AI Engine WordPress plugin before 3.5.5 does not sanitize a user-supplied filename before using it to write a downloaded file, allowing authenticated users with editor-level access to write attacker-controlled bytes to an arbitrary location on the server via path traversal...
CVE-2026-12511
CVE-2026-12511 affects the AI Engine WordPress plugin prior to 3.5.5. The flaw occurs when a user-supplied filename used for a downloaded file is not sanitized, enabling authenticated users with editor-level access to perform path traversal and write attacker-controlled bytes to an arbitrary loca...
CVE-2026-59856
A flaw was found in Vim, an open-source command-line text editor. The PHP omni-completion script improperly handles specially crafted input. When a victim opens a malicious PHP file and invokes omni-completion, an unescaped class or trait name can be interpreted as Ex commands. This allows a remo...
CVE-2026-61952
Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products – WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Products – WP Sheet Editor: from n/a through = 1.8.21...
Arbitrary Command Execution
GitHub CLI is vulnerable to Arbitrary Command Execution. The vulnerability is due to insufficient validation of JupyterLab URLs returned by a Codespace, where attacker-controlled non-loopback URLs such as vscode:// are passed to VS Code, allowing malicious Codespaces to execute arbitrary commands...
CVE-2026-61952
Summary: CVE-2026-61952 affects the WordPress WooCommerce plugin “WooCommerce Bulk Edit Products – WP Sheet Editor” (versions up to and including 1.8.21). The issue is a broken access control due to missing authorization, enabling exploitation through insecure access control configurations. Affec...
CVE-2026-11591
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...
EUVD-2026-43155
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...
CVE-2026-12141
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumtooltiptext' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes i...
CVE-2026-12141
The CVE-2026-12141 entry describes a Stored Cross-Site Scripting vulnerability in the Premium Addons for Elementor – Powerful Elementor Templates & Widgets WordPress plugin. Affected component: the premium_tooltip_text parameter; impact arises from insufficient input sanitization and output escap...
Joomla! JCE extension < 2.9.99.5 unauthenticated RCE
Joomla JCE editor extension contains an unrestricted file upload vulnerability caused by allowing unauthenticated users to create new editor profiles, letting attackers upload and execute PHP code remotely, exploit requires no authentication. id: CVE-2026-48907 info: name: Joomla! JCE extension...
CVE-2026-55659
Grist has a cross-site scripting (XSS) vulnerability (CVE-2026-55659) in server-rendered pages caused by embedding user-controlled values into the page and inline scripts without proper escaping. The issue affects pages where a document’s name/description is rendered and where the OAuth2 end-of-f...
CVE-2026-8595
A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...
CVE-2026-8595 Stored XSS in the table panel (TableNG)
A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...
CVE-2026-8595
CVE-2026-8595 describes a stored XSS in Grafana's TableNG panel. An Editor can craft a dashboard with a malicious field name, causing script execution in the browser for any viewer of that dashboard. Affected component: the TableNG panel in dashboards. Root cause: stored cross-site scripting via ...