10269 matches found
CVE-2006-1775
Multiple cross-site scripting XSS vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML via the 1 Site Description field in a adminboard.php, the 2 Group name and 3 Group description fields in b admingroups.php and c groupcp.php, the 4 Theme Name field in d...
CVE-2023-45147
Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation...
CVE-2023-31073
Missing Authorization vulnerability in Jose Vega Display custom fields in the frontend – Post and User Profile Fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display custom fields in the frontend – Post and User Profile Fields: from n/a through...
CVE-2023-4469
The Profile Extra Fields by BestWebSoft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the prflxtrfldsexportfile function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to expose potentially...
CVE-2025-40696
Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'fullname', 'location' and 'message' parameters via POST at the endpoint '/ofrs/reporting.php'. This vulnerability could...
CVE-2026-21695
Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint use...
CVE-2024-34708
Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we...
CVE-2023-50256
Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements...
CVE-2023-31133
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute...
CVE-2025-23430
Cross-Site Request Forgery CSRF vulnerability in Oren Yomtov Mass Custom Fields Manager mass-custom-fields-manager allows Reflected XSS.This issue affects Mass Custom Fields Manager: from n/a through = 1.5...
CVE-2025-23822
Cross-Site Request Forgery CSRF vulnerability in alicornea Category Custom Fields categorycustomfields allows Cross Site Request Forgery.This issue affects Category Custom Fields: from n/a through = 1.0...
CVE-2022-31112
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...
CVE-2024-34761
Vulnerability discovered by executing a planned security audit. Improper Control of Generation of Code 'Code Injection' vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10...
CVE-2024-34762
Vulnerability discovered by executing a planned security audit. Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in WPENGINE INC Advanced Custom Fields PRO allows PHP Local File Inclusion.This issue affects Advanced Custom Fields PRO: from n/a before 6.2....
Security Bulletin: Data Binding Validation Bypass in Spring Framework, affects watsonx.data
Summary There are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: 6.2.0 - 6.2.6 6.1.0 - 6.1.19 6.0.0 - 6.0.27 5.3.0 - 5.3.42 Older, unsupported versions are also affected Mitigation Users of affected versions should...
CVE-2025-67825
An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. This could allow a document to present inconsistent signer details. The display logic was updat...
CVE-2025-67825
An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. This could allow a document to present inconsistent signer details. The display logic was updat...
CVE-2026-21695 Titra API Contains Mass Assignment Vulnerability
Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint use...
CVE-2026-21695
CVE-2026-21695 affects the open source time tracking software Titra. In versions ≤ 0.99.49, the API suffers a Mass Assignment vulnerability: the endpoint merges user-supplied input via the JavaScript spread operator into the database document (customfields), without validating which keys are perm...
CVE-2026-21695 Titra API Contains Mass Assignment Vulnerability
Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint use...