18857 matches found
EUVD-2026-43297
Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an...
CVE-2026-4769
The affected product family is WAGO System I/O Field series devices. The CVE describes an undocumented internal diagnostic capability that activates during the initial startup sequence and remains accessible without authentication for a brief window in the early boot phase. During this window, an...
CVE-2026-12081
The CVE-2026-12081 entry concerns the WordPress plugin family “Database for Contact Form 7, WPforms, Elementor forms,” affected in versions before 1.5.2. The issue arises from not restricting PHP classes during unserialization of attacker-supplied form-field values, which enables unauthenticated ...
WebTareas 2.4p5 - Cross-Site Scripting
webtareas 2.4p5 was discovered to contain a cross-site scripting XSS vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. id: CVE-2022-44957 info: name: WebTareas...
Rukovoditel <= 3.2.1 - Cross Site Scripting
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking...
Django RasterField - SQL Injection
Django 6.0.2, 5.2.11, and 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input. id: CVE-2026-1207 info: name: Django RasterField - SQL Injection author: omarkurt...
XWiki - HQL Injection
XWiki is vulnerable to Hibernate Query Language HQL injection in the wiki and space search REST API starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0. The vulnerability allows attackers to inject malicious HQL queries through the orderField parameter, potential...
Custom Field Manager WordPress - Cross-Site Scripting
Custom Field Manager WordPress plugin through 1.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12873 info: name: Custom Field Manager...
Advanced Custom Fields < 6.1.6 - Cross-Site Scripting
Advanced Custom Fields beofre 6.1.6 is susceptible to cross-site scripting via the poststatus parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow th...
EUVD-2026-43147
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers ...
CVE-2026-15096
The CVE concerns the Themify Builder WordPress plugin. A Stored Cross-Site Scripting (XSS) flaw exists in the Map Module’s b_width_map field across all versions up to 7.7.6, caused by insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or hig...
EUVD-2026-43132
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'heightslider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
EUVD-2026-43053
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2...
EUVD-2026-43066
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0...
EUVD-2026-43051
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. This issue affects Formatter Field versions: from 0.0.0 to 2.0.0...
PT-2026-57391
Name of the Vulnerable Software and Affected Versions Themify Builder versions prior to 7.7.7 Description Insufficient input sanitization and output escaping in the Map Module allow authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting. This is...
PT-2026-57392
Name of the Vulnerable Software and Affected Versions Themify Builder versions prior to 7.7.7 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts...
CVE-2026-13242
Summary: CVE-2026-13242 is an SQL Injection vulnerability in the Drupal Geolocation Field module. The flaw arises from improper neutralization of user-supplied values in a view filter, enabling injection when exposed to input. Affected versions are 0.0.0 through 3.15.0 of Geolocation Field. Conne...
CVE-2026-55809
The CVE-2026-55809 entry concerns Drupal’s Flag attendance field module. The root cause is an object injection vulnerability caused by handling PHP-serialized data stored in the flag_attendance_field, which can lead to PHP object injection when data are unserialized. Affected versions are Flag at...
CVE-2026-12535
The CVE-2026-12535 entry concerns Drupal’s Formatter Field module, affected versions 0.0.0–2.0.0. The vulnerability arises from PHP-serialized data stored in the formatter_field field, which can be written maliciously and later unserialized, enabling Object Injection. Exploitation requires the at...