PT-2026-39492

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date created, date from, date to, and created at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET...

CVE-2026-1454

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfbleadsanitize function which omits certain...

EUVD-2016-1700

Malware in sbrugna...

EUVD-2021-11352

Malware in sbrugna...

EUVD-2022-39039

Malicious code in bioql PyPI...

CVE-2025-48993

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web applicatio...

CVE-2021-24519

The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue...

CVE-2021-24168

The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields such as Email Subject, Email Recipient, etc when creating or editing a form, leading to an authenticated author+ stored cross-site scripting issue. This could allow medium privilege accounts such a...

CVE-2021-24664

The School Management System – WPSchoolPress WordPress plugin before 2.1.17 sanitise some fields using sanitizetextfield but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues...

Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026

Formatter Suite provides a suite of field formatters to help present numbers, dates, times, text, links, entity references, files, and images. The module provides a custom formatter for link fields. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site...

CVE-2023-6720

An XSS vulnerability stored in Repox has been identified, which allows a local attacker to store a specially crafted JavaScript payload on the server, due to the lack of proper sanitisation of field elements, allowing the attacker to trigger the malicious payload when the application loads...

CVE-2023-5530

The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use ...

CVE-2022-36323

Affected devices do not properly sanitize an input field. This could allow an authenticated remote attacker with administrative privileges to inject code or spawn a system root shell...

CVE-2021-20279

CVE-2021-20279 affects Moodle before versions 3.10.2, 3.9.5, 3.8.8, and 3.5.17, where the id number user profile field sanitization allows stored XSS. The vulnerability is a result of insufficient sanitization of the user profile ID field, enabling stored XSS attacks. The connected documents indi...

Fedora 22 : drupal7-migrate-2.8-1.fc22 (2015-11265)

7.x-2.8 See SA-CONTRIB-2015-130 Features and enhancements - Issue 2379289: migrate-import --update does not seem to work as expected, if map is not joinable, due to highwater field? - Issue 2403643: Migration::applyMappings unable to handle multifield subfields - Issue 2472045: Add language...

MGASA-2013-0359 Updated drupal package fixes security vulnerabilities

Drupal's form API has built-in cross-site request forgery CSRF validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations CVE-2013-6385. Drupal core directly used the mtrand pseudorandom number...

WSCreator 1.1 Blind SQL Injection

WSCreator 1.1 Blind SQL Injection Name WSCreator Vendor http://www.wscreator.com Versions Affected 1.1 Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta at gmail dot com Date 2009-12-15 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III...

XSS in Snitz Forum 2000

Sec-Tec Advisory - XSS in Snitz Forums 2000 The most up to date version of this advisory can always be found at: www.sec-tec.co.uk/vulnerability/snitzxss.html Advisory creation date: 6th May 2004 Product: Snitz Forums 2000 Tested version: 3.4.04 older versions believed to be affected also...

Geeklog 1.3.5 - Calendar Event Form Script Injection

Geeklog 1.3.5 - Calendar Event Form Script Injection source: https://www.securityfocus.com/bid/4974/info Geeklog does not sufficiently sanitize script code from form fields, making it prone to script injection attacks. Attacker-supplied script code may potentially end up in webpages generated by...