CVE-2026-41846 Spring Framework Cross-site Scripting via JSP Form Tags

Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting XSS vulnerability. Affected versions: Spring Framework 7.0.0 through...

Linux Distros Unpatched Vulnerability : CVE-2026-41846

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScrip...

CVE-2026-33883 Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the user:resetpasswordform tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. Thi...

CVE-2026-33883 Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the user:resetpasswordform tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. Thi...

GHSA-3JG4-P23X-P4QX Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

Impact The user:resetpasswordform tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. Patches This has been fixed in 5.73.16 and 6.7.2...

PT-2026-28550

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.16 Statamic versions prior to 6.7.2 Description The user:reset password form tag does not properly escape user-supplied input before rendering it as HTML, potentially allowing an attacker to inject and execute...

CVE-2025-9129

The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's flexi-form-tag shortcode in all versions up to, and including, 4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress Flexi plugin <= 4.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via flexi-form-tag Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via flexi-form-tag Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Flexi – Guest Submit versions = 4.28...

EUVD-2025-32251

Malicious code in bioql PyPI...

CVE-2025-9129

The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's flexi-form-tag shortcode in all versions up to, and including, 4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9129

CVE-2025-9129 describes a Stored Cross-Site Scripting flaw in the WordPress Flexi plugin (up to version 4.28) via the flexi-form-tag shortcode. The issue arises from insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-...

CVE-2025-9129 Flexi <= 4.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via flexi-form-tag Shortcode

The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's flexi-form-tag shortcode in all versions up to, and including, 4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9129 Flexi <= 4.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via flexi-form-tag Shortcode

The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's flexi-form-tag shortcode in all versions up to, and including, 4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2025-40483

Name of the Vulnerable Software and Affected Versions Flexi plugin for WordPress versions up to and including 4.28 Description The Flexi plugin for WordPress is susceptible to Stored Cross-Site Scripting through the flexi-form-tag shortcode. Insufficient input sanitization and output escaping on...

Exploit for Cross-site Scripting in Alinto Sogo

CVE-2023-48104 HTML Injection in Alinto/SOGo Web Client Ve...

GHSA-6QQJ-RX4W-R3CJ CSRF Vulnerability in jquery-ujs

Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribute of a fo...

CSRF Vulnerability in rails-ujs

There is an vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails = 5.2.4.3, rails = 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor ta...

CVE-2019-1010310

GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools Reminder Description .. Set the...

actionpack Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/formtaghelper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the selecttag helper...

Ruby on Rails jquery-ujs和jquery-rails安全绕过漏洞

Impact In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to " https://attacker.com" note the leading space that will be passed to JQuery, who...