ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.3.2 contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation of the CSRF token in the UserEditor.php file, which could allow unauthenticated attackers to gain...

mosparo 代码问题漏洞

Mosparo is a modern spam protection software developed under open source. Versions of Mosparo prior to 1.4.13 had code vulnerabilities. These vulnerabilities stemmed from the automatic rule package source URL feature, which allowed project members with editor roles to store URLs controlled by...

PT-2026-40013

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in RealMag777 BEAR woo-bulk-editor allows Blind SQL Injection.This issue affects BEAR: from n/a through = 1.1.7.1...

@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @getnuvo/importer-react (>=3.3.0 <=3.6.2) +20 more potentially affected by CVE-2026-43898 via @nyariv/sandboxjs (>=0.5.3 <=0.8.36)

@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =3.3.0, =4.0.1, =0.0.12, =2.1.6, =2.1.6, =1.0.5, =1.0.6, =2.1.6, =2.1.6, =2.15.0, =0.2.0, =0.2.2 and more Source cves: CVE-2026-43898 Source advisory: SNYK:JS-NYARIVSANDBOXJS-16642341...

CVE-2026-44738

Technical details are not publicly available in the provided documents. Monitor for updates from authoritative sources for affected software, version, and remediation.

CVE-2026-44738 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets...

CVE-2026-44738 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets...

CVE-2026-42841 Grav: Stored XSS via Markdown media attribute() action in Grav CMS

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters...

CVE-2026-42841

Grav CMS stores image attributes via Markdown media action parameters. Before 2.0.0-beta.2, an authenticated page editor could inject a JavaScript event handler by calling attribute(name, value) through image query parameters (e.g., ?attribute=onload,alert(...)). The attack results in a stored XS...

SUSE CVE-2026-42307

Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL e.g., using the sftp:// or file:// protocol handlers, an attacker can execute arbitrary...

EUVD-2022-55972

WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the posttitle parameter. Attackers with editor privileges can inject JavaScript payloads through the...

EUVD-2021-34793

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary...

CVE-2022-50946

WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the posttitle parameter. Attackers with editor privileges can inject script payloads through the testimonial titl...

CVE-2021-47931

Exponent CMS 2.6 is affected by a stored cross-site scripting (XSS) vulnerability in the text editing endpoint, exploitable via Title and Text Block parameters. Attackers with authentication can inject scripts (e.g., iframe payloads with embedded SVG onload events) to run arbitrary JavaScript. Th...

CVE-2022-50947

The CVE-2022-50947 entry concerns WordPress Plugin Testimonial Slider and Showcase version 2.2.6. A stored XSS vulnerability exists in the post_title field due to insufficient sanitization, exploitable by authenticated editors with low privileges. Attackers with editor rights can inject JavaScrip...

CVE-2022-50946 WordPress Plugin Netroics Blog Posts Grid 1.0 Stored XSS

WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the posttitle parameter. Attackers with editor privileges can inject script payloads through the testimonial titl...

CVE-2022-50946

WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the posttitle parameter. Attackers with editor privileges can inject script payloads through the testimonial titl...

PT-2026-39476

WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post title parameter. Attackers with editor privileges can inject JavaScript payloads through the...

PT-2026-39475

WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post title parameter. Attackers with editor privileges can inject script payloads through the testimonial tit...

OESA-2026-2204 vim security update

Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems. Securi...