CVE-2026-33738

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...

CVE-2026-33738

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...

CVE-2026-33738 Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...

CVE-2026-33738

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...

PT-2026-28519

Name of the Vulnerable Software and Affected Versions Lychee versions prior to 7.5.3 Description Lychee is a free, open-source photo-management tool. Before version 7.5.3, the photo description field was stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped outpu...

WordPress Plugin wpForo Forum Information Disclosure Vulnerability

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. An information disclosure vulnerability exists in the WordPress plugin wpForo Forum, which stem...

GHSA-8WHX-V8QQ-PQ64 changedetection.io has Reflected XSS in its RSS Tag Error Response

A reflected cross-site scripting XSS vulnerability was identified in the /rss/tag/ endpoint of changedetection.io. The taguuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser...

GHSA-MW8M-398G-H89W changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response

Summary Three security vulnerabilities were identified in changedetection.io through source code review and live validation against a locally deployed Docker instance. All vulnerabilities were confirmed exploitable on the latest version 0.53.6 it was additionally validated at scale against 500...

changedetection.io 安全漏洞

changedetection.io is a website monitoring and notification application developed by dgtlmoon. Versions of changedetection.io prior to 0.54.1 contained a security vulnerability. This vulnerability stemmed from the RSS monitoring endpoint not properly escaping the UUID path parameter in HTML, whic...

CVE-2020-37051

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate use...

CVE-2020-37051

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate use...

CVE-2020-37051 Online-Exam-System 2015 - 'feedback' SQL Injection

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate use...

PT-2026-5488

Name of the Vulnerable Software and Affected Versions Online-Exam-System version 2015 Description The software contains a time-based blind SQL injection issue in the feedback form. This allows attackers to extract database password hashes. The issue is exploitable through the 'feed.php' endpoint ...

CVE-2023-1613

A vulnerability has been found in Rebuild up to 3.2.3 and classified as problematic. This vulnerability affects unknown code of the file /feeds/post/publish. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may ...