115 matches found
CVE-2026-11591
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...
CVE-2026-11591
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...
EUVD-2026-43155
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...
CVE-2026-8595
A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...
CVE-2026-8595 Stored XSS in the table panel (TableNG)
A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...
CVE-2026-8595
CVE-2026-8595 describes a stored XSS in Grafana's TableNG panel. An Editor can craft a dashboard with a malicious field name, causing script execution in the browser for any viewer of that dashboard. Affected component: the TableNG panel in dashboards. Root cause: stored cross-site scripting via ...
EUVD-2026-42922
A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...
CVE-2026-8595 Stored XSS in the table panel (TableNG)
A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...
CVE-2026-8595 Stored XSS in the table panel (TableNG)
A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...
PT-2026-57211
Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A user with Editor permissions can create a dashboard where the TableNG panel includes a malicious field name. This leads to stored cross-site scripting XSS, a...
CVE-2026-12399 Gutenverse <= 3.8.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fonts[].font.font.value' Parameter
The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
PT-2026-53053
Name of the Vulnerable Software and Affected Versions Gutenverse versions prior to 3.8.1 Description The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress contains a Stored Cross-Site Scripting issue in the admin settings. This occurs due to insufficient input...
UBUNTU-CVE-2026-7186
Stored cross-site scripting in the URL dashboard widget in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the...
CVE-2026-41518
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The...
GHSA-2C5X-4JGF-88MJ NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)
Summary The request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins Slack, Discord, Mattermost, Teams because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permissio...
EUVD-2026-30137
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...
CVE-2026-28374
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...
UBUNTU-CVE-2026-28374
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...
CVE-2026-41195 mosparo: Rule package source URL stored SSRF enables internal HTTP probing
mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and...
mosparo 代码问题漏洞
Mosparo is a modern spam protection software developed under open source. Versions of Mosparo prior to 1.4.13 had code vulnerabilities. These vulnerabilities stemmed from the automatic rule package source URL feature, which allowed project members with editor roles to store URLs controlled by...