45 matches found
CVE-2026-6226 Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the...
CVE-2026-34396
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates...
CVE-2025-68914
Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/login.cgi username SQL Injection. For example, an attacker can delete the LOGINFAILEDTABLE table...
CVE-2025-64826
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...
PT-2025-47464
Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page...
EUVD-2008-0408
Malware in sbrugna...
Linux Distros Unpatched Vulnerability : CVE-2019-1010310
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is:...
Diskover-web 安全漏洞
Diskover-web is a file system indexing tool from Diskover, Inc. in the United States. A security vulnerability exists in Diskover-web version v2.3.0, which stems from improper cleanup of multiple POST parameters in the Elasticsearch configuration form, which could lead to an SQL injection attack...
PT-2024-6549 · Microsoft · Outlook
Name of the Vulnerable Software and Affected Versions: Microsoft Outlook affected versions not specified Description: The issue is related to incorrect external control of a file name or path in Microsoft Outlook for Windows operating systems. Exploitation of this issue may allow an attacker to...
CVE-2024-36178
Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...
CVE-2024-34120
Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...
CVE-2024-36189 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...
CVE-2024-36171 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...
PT-2024-40292 · Typo3 · Typo3
Name of the Vulnerable Software and Affected Versions: TYPO3 affected versions not specified Description: A broken access control issue has been discovered in the Import/Export module, allowing regular backend users to access import functionality that is typically restricted to admin users or tho...
PT-2024-11733 · Unknown · Online Flight Booking Management System
Name of the Vulnerable Software and Affected Versions: Online Flight Booking Management System version 1.0 Description: The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the airline parameter in the feedback form. This enables the execution of...
lasTunes <= 3.6.1 - Settings Update via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack ' ' document.forms0...
EventON-RSVP < 2.9.5 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the code below "/...
Easy Forms for Mailchimp < 6.9.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1 Create a new opt-in form 2 Edit the form, and add a "First name" field. 3 Update the form...
Email Subscription Popup < 1.2.20 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open " /...
PT-2023-32721 · Sourcecodester · Sourcecodester Simple Student Attendance System
Name of the Vulnerable Software and Affected Versions: SourceCodester Simple Student Attendance System version 1.0 Description: A critical issue affects some unknown functionality of the file /modals/class form.php. The manipulation of the id argument leads to SQL injection. The issue has been...