CVE-2025-67850

A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting XSS, occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions...

EUVD-2025-206732

HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of the email sent by the system...

CVE-2026-0617

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-1058 Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field

The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses htmlentitydecode o...

EUVD-2026-5290

The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses htmlentitydecode o...

CVE-2026-1058

The vulnerability CVE-2026-1058 affects the WordPress Form Maker plugin by 10Web. A stored XSS exists in all versions up to 1.15.35 due to insufficient escaping of hidden field values in the admin submissions list; html_entity_decode() is applied to user-supplied hidden field values without prope...

CVE-2026-0617 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-0617

The CVE concerns the LatePoint – Calendar Booking Plugin for Appointments and Events (WordPress). A stored XSS vulnerability exists in customer profile fields across all versions up to 5.2.5 due to insufficient input sanitization and output escaping, enabling unauthenticated attackers to inject s...

EUVD-2026-5287

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-0617

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2026-5901

Name of the Vulnerable Software and Affected Versions HCL AION version 2.0 Description HCL AION is susceptible to an issue where the autocomplete attribute is not disabled for password fields. This can allow the autocomplete function to store or reveal sensitive credentials, potentially leading t...

PT-2026-5960

Name of the Vulnerable Software and Affected Versions Moodle affected versions not specified Description A flaw exists in Moodle where data fields are exported without proper escaping, leading to a formula injection issue. A remote attacker could exploit this by providing malicious data that, whe...

Moodle 安全漏洞

Moodle is an open-source e-learning software platform developed by Moodle. It is also known as a course management system, learning management system, or virtual learning environment. There are security vulnerabilities in Moodle. These vulnerabilities stem from the insufficient data checking in t...

PT-2026-6028

Name of the Vulnerable Software and Affected Versions Form Maker plugin for WordPress versions prior to 1.15.36 Description The Form Maker plugin for WordPress is susceptible to Stored Cross-Site Scripting through hidden field values. Insufficient output escaping when displaying these values in t...

PT-2026-6203

Name of the Vulnerable Software and Affected Versions Open eClass versions prior to 4.2 Description The Open eClass platform, previously known as GUnet eClass, is a course management system. A Stored Cross-Site Scripting XSS issue exists in versions before 4.2, allowing authenticated...

PT-2026-5952

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

Open eClass 跨站脚本漏洞

Open eClass is an open-source e-classroom system developed by the Greek Universities Network. Versions of Open eClass prior to 4.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from stored cross-site scripts in multiple user-controllable input fields, which could allo...

EUVD-2025-206723

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

CVE-2025-65924

CVE-2025-65924 affects ERPNext up to v15.88.1. The issue arises in the Add Quality Goal function where HTML tags (notably hyperlinks) are not sanitized in plain-text fields. While JavaScript is blocked to prevent XSS, the HTML remains in the generated PDFs, enabling users to click malicious link...