CVE-2026-48237 Open ISES Tickets < 3.44.2 SQL Injection via message.php frm_ticket_id and frm_resp_id Parameters

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frmticketid and frmrespid POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that alter query semantics to...

PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling

Impact The server does not meaningfully limit the size of the JSON payload in ModalFormResponsePacket. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements. The player must have a full session on the server i.e. spawned ...

GHSA-788V-5PFP-93FF PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling

Impact The server does not meaningfully limit the size of the JSON payload in ModalFormResponsePacket. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements. The player must have a full session on the server i.e. spawned ...

Allocation of Resources Without Limits or Throttling

Overview pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the ModalFormResponsePacket handling process. An attack...

CVE-2023-48546 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

PocketMine-MP vulnerable to denial-of-service by sending large modal form responses

Impact Due to a workaround for an old client bug which has since been fixed, very large JSON payloads in ModalFormResponsePacket were able to cause the server to spend a significant amount of time processing the packet. Large numbers of these packets were able to hog CPU time so as to prevent the...

GHSA-WJFQ-88Q2-R34J Unhandled exception when decoding form response JSON

Impact When handling form responses from the client ModalFormResponsePacket, the Minecraft Windows client may send weird JSON that jsondecode can't understand. A workaround for this is implemented in InGamePacketHandler::stupidjsondecode. An InvalidArgumentException is thrown by this function whe...