CVE-2026-22803 SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate...

CVE-2025-14803

The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting...

UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation

Impact Within Umbraco Forms, configuring a malicious URL on the Webservice data source can result in Remote Code Execution. This affects all Umbraco Forms versions running on .NET Framework up to and including version 8. Patches The affected Umbraco Forms versions are all End-of-Life EOL and not...

GHSA-VRGW-PC9C-QRRC UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation

Impact Within Umbraco Forms, configuring a malicious URL on the Webservice data source can result in Remote Code Execution. This affects all Umbraco Forms versions running on .NET Framework up to and including version 8. Patches The affected Umbraco Forms versions are all End-of-Life EOL and not...

EUVD-2026-2325

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices getmeterlevelsfromurb parses the 64-byte meter packets sent by the device and fills the per-channel arrays meterlevel, complevel and masterlevel in struct...

PT-2026-2357

Name of the Vulnerable Software and Affected Versions WPForms version 1.7.8 Description The software contains a cross-site scripting issue in the slider import search feature and tab parameter. An attacker can inject malicious scripts through the /ListTable.php endpoint to execute arbitrary...

WordPress Nex-Forms Express WP Form Builder plugin < 9.1.8 - Authenticated Stored XSS vulnerability

Authenticated Stored XSS vulnerability discovered by Vuln Seeker Cyber Security Team in WordPress Plugin NEX-Forms versions 9.1.8...

CVE-2026-0674

Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Campaign Monitor for WordPress: from n/a through 2.9.1...

CVE-2025-61676

CVE-2025-61676 affects October CMS prior to 3.7.13 and 4.0.12, where a stored XSS in the backend configuration form (Branding & Appearance → Styles) could be injected by users with Customize Backend Styles permission. A crafted input in the stylesheet field could break out of the context, enabli...

October CMS 跨站脚本漏洞

October CMS is an open source content management system CMS from October CMS based on PHP and the Laravel web application framework. A cross-site scripting vulnerability exists in October CMS versions prior to 3.7.13 and prior to 4.0.12, which stems from insufficient cleanup and escaping in...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the stylesheet input in the backend configuration forms. An attacker can execute arbitrary scripts in the context of other users by injecting malicious HTML or JavaScript through the editor settings. This ca...

CVE-2023-49052

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component...

CVE-2023-4109

The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability...

CVE-2021-33224

File upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code via a crafted web.config and asp file...

CVE-2022-0879

The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting...

CVE-2022-0402

The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bobczypanstwasprawazostalarozwiazana parameter before outputting it back in an attribute via the superlanguageswitcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking...

CVE-2017-18574

The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder...

CVE-2017-18495

The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress has XSS...

CVE-2019-2886

Vulnerability in the Oracle Forms product of Oracle Fusion Middleware component: Services. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Forms. Successful attacks require hum...

CVE-2020-12462

The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS...