EUVD-2020-31237

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject...

CVE-2026-46361

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass...

CVE-2026-45616

Vvveb CMS contains a stored XSS in Posts that can lead to privilege escalation via the post editor. Affected before 1.0.8.3; fixed in 1.0.8.3. CVE-2026-45616. Exploitation details are not provided in the documents; CIRCL notes a published PoC on Telegram.

CVE-2026-45616 Vvveb: Stored XSS in Posts allows privilege escalation via post editor

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is fixed in 1.0.8.3...

CVE-2026-45616 Vvveb: Stored XSS in Posts allows privilege escalation via post editor

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is fixed in 1.0.8.3...

CVE-2026-46361

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass...

CVE-2026-46361 phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass...

CVE-2026-46361 phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass...

CVE-2026-46360

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQEDIT permission can upload malicious SVG files with deeply...

GHSA-6WXC-8MGQ-W26M Weblate: Stored HTML injection in editor search preview

Impact Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. Patches...

Cross-site Scripting (XSS)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Cross-site Scripting XSS in the search preview process. An attacker can execute arbitrary HTML or CSS in the authenticated editor interface ...

Weblate: Stored HTML injection in editor search preview

Impact Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. Patches...

CVE-2026-46483

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tarVimuntar in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescapetartail without the...

CVE-2026-46483

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tarVimuntar in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescapetartail without the...

CVE-2026-46483

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tarVimuntar in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescapetartail without the...

OESA-2026-2297 vim security update

Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems. Securi...

BIT-GRAFANA-2026-33377 Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege...

BIT-GRAFANA-2026-28380 BAC in Snapshot API allows deletion of unauthorized dashboard snapshots

Any Editor could delete any snapshot, even if they have no access to read or write them...

BIT-GRAFANA-2026-28374 IDOR in Annotations API allows unprivileged users to DELETE annotation

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...

CVE-2026-45708

CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print..php. files/.htaccess ships an explicit allow from all...