CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

CVE-2025-65924

CVE-2025-65924 affects ERPNext up to v15.88.1. The issue arises in the Add Quality Goal function where HTML tags (notably hyperlinks) are not sanitized in plain-text fields. While JavaScript is blocked to prevent XSS, the HTML remains in the generated PDFs, enabling users to click malicious link...

Craft Commerce 跨站脚本漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions of Craft Commerce from 4.0.0-RC1 to 4.10.0, as well as from 5.0.0 to 5.5.1, have a cross-site scripting vulnerability. This vulnerability arises due to improper cleaning of name and description...

Moodle 安全漏洞

Moodle is an open-source e-learning software platform developed by Moodle. It is also known as a course management system, learning management system, or virtual learning environment. There are security vulnerabilities in Moodle. These vulnerabilities stem from the insufficient data checking in t...

CVE-2026-24737

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or...

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Shipping Zone fields in the store management section, which are not properly sanitized before being displayed in the admin panel. An attacker can execute arbitrary...

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Name and Description fields in the tax categories section of the admin panel. An attacker can execute arbitrary JavaScript code in the context of an administrator's...

CVE-2026-24737

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or...

CVE-2026-24737 jsPDF has a PDF Injection in AcroFormChoiceField which allows Arbitrary JavaScript Execution

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or...

Improper Encoding or Escaping of Output

Overview jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, or AcroFormRadioButton.appearanceState...

jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution

Impact User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2024-38820,CVE-2025-22233)

Summary Spring MVC controller vulnerable to a DoS attack and DataBinder Case Sensitive Match Exception. These vulnerabilities were remediated. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However,...

PT-2026-5721

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.1.0 Description A flaw exists in jsPDF, a JavaScript library for generating PDFs, where user control over properties and methods within the Acroform module can lead to the injection of arbitrary PDF objects, including...

CVE-2022-50941

BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unvalidated input parameters to execute arbitrary scripts, potentially leading to session hijacking,...

CVE-2021-47885

Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or...

CVE-2022-50797

The CVE-2022-50797 entry concerns the Stripe Green Downloads Wordpress Plugin version 2.03, which contains a persistent cross-site scripting (XSS) flaw. The vulnerability targets button label fields (via settings) and can allow remote attackers to inject and execute arbitrary scripts, with potent...

CVE-2022-50797

Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. Attackers can exploit input parameters to execute arbitrary scripts, potentially leading to session hijacking and...

CVE-2022-50797 Stripe Green Downloads Wordpress Plugin 2.03 Persistent XSS via Settings

Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. Attackers can exploit input parameters to execute arbitrary scripts, potentially leading to session hijacking and...

CVE-2021-47885

Technical details about CVE-2021-47885 are not publicly provided in the supplied documents. Monitor for updates and refer to the cited sources for any future disclosures.

EUVD-2021-34763

Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or...