319 matches found
CVE-2026-12761 miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow
The miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the...
CVE-2026-6820
CVE-2026-6820: The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the email parameter in all versions up to 1.8.8 due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts in ...
CVE-2026-13567
A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmessage results in cross site scripting. The attack may be...
EUVD-2026-40082
A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmessage results in cross site scripting. The attack may be...
EUVD-2026-38634
FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields ...
CVE-2026-56785 FlatPress - Stored Cross-Site Scripting via Unescaped Comment and Contact Form Fields
FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in...
ERPNext 安全漏洞
ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Version 16.16.0 of ERPNext contains a security vulnerability. This vulnerability allows authenticated users to persist arbitrary HTML/JavaScript in customer records’ email or mobile...
PT-2026-46044
Name of the Vulnerable Software and Affected Versions ERPNext version 16.16.0 Description An authenticated user can persist arbitrary HTML or JavaScript within the email id or mobile no fields of a Customer record. This leads to unescaped rendering in the Point of Sale POS interface for any...
CVE-2018-25372
MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads ...
CVE-2018-25372 MedDream PACS Server Premium 6.7.1.1 SQL Injection via email
MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads ...
CVE-2018-25372
CVE-2018-25372 : MedDream PACS Server Premium 6.7.1.1 contains an unauthenticated SQL injection in the email parameter of the userSignup.php endpoint. Crafting POST requests with SQL payloads can extract sensitive information from the backend MySQL database. The description explicitly states the ...
PT-2026-43224
MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads ...
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification
Summary A Mass Assignment vulnerability in the PUT /api/v1/user endpoint allows authenticated users to directly modify restricted user fields, including the credential password hash, bypassing the intended password change workflow. Because the endpoint forwards the entire request body to the...
CVE-2020-37240
Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...
CVE-2020-37240 Queue Management System 4.0.0 Stored XSS via Add User
Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...
CVE-2020-37240
CVE-2020-37240 affects Queue Management System 4.0.0 with a stored XSS flaw in the Add User workflow. Authenticated administrators can inject JavaScript via First Name, Last Name, or Email during user creation, with payloads executing on the User List page. CVSS-4.0 vector yields 5.1 (MEDIUM), an...
CVE-2020-37240 Queue Management System 4.0.0 Stored XSS via Add User
Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...
CVE-2025-64526
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...
PT-2026-41440
Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...
EUVD-2025-209860
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...