CVE-2026-28426

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileg...

GHSA-5VRJ-WF7V-5WR7 Statamic vulnerable to privilege escalation via stored cross-site scripting

Impact Stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Patches This has been fixed in 5.73.11 and 6.4.0...

CVE-2026-28426

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileg...

CVE-2026-27196

Statmatic is a Laravel and Git powered content management system CMS. Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the configFieldItems function. An attacker can execute arbitrary JavaScript in the context of higher-privileged users by injecting malicious scripts as an authenticated user with field management permissions...

CVE-2025-64112

Statmatic is a Laravel and Git powered content management system CMS. Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fix...

CVE-2025-64112 Statmatic vulnerable to Stored Cross-Site Scripting

Statmatic is a Laravel and Git powered content management system CMS. Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fix...

CVE-2021-22149

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users...

Privilege Escalation

github.com/rancher/rancher is vulnerable to Privilege Escalation. The vulnerability is due to improper access control that allows Restricted Administrators to change the passwords of higher-privileged users without having the Manage Users permission...

CVE-2024-28142

The CVE-2024-28142 entry describes stored cross-site scripting via improper input sanitization on the Image Access Scan2Net (and related lines) File Name input on the User Settings page (/cgi/uset.cgi?-cfilename). The root cause is inadequate filtering of the file name and wildcard character inpu...

PT-2024-38518 · Phoenix Contact · Fl Mguard 2102 +46

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: A low privileged remote attacker can get access to CSRF tokens of higher privileged users, which can be abused to mount CSRF attacks. Recommendations: A...

Add Custom Body Class <= 1.4.1 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not properly escape the addcustombodyclass parameter before outputting it to the page, allowing users with the role of contributor of higher to inject arbitrary web scripts potentially targeting higher privileged users...

CVE-2023-5533 AI ChatBot <= 4.8.9 and 4.9.2 - Missing Authorization on AJAX actions

The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2. This makes it possible for unauthenticated attackers to perform some of those actions tha...

CVE-2023-2270 Local privilege escalation

The Netskope client service running with NT\SYSTEM privileges accepts network connections from localhost to start various services and execute commands. The connection handling function of Netskope client before R100 in this service utilized a relative path to download and unzip configuration fil...

CVE-2022-43760

An Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web...

WordPress Creative Mail Plugin < 1.6.0 Multiple CSRF Vulnerabilities

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:constantcontact:creativemail"; if description...

IBM InfoSphere Information Server Elevation of Privilege Vulnerability (CNVD-2022-38557)

IBM InfoSphere Information Server is a data integration software platform. Its primary service is to help us be able to understand, clean, monitor, transform and deliver data. an elevation of privilege vulnerability exists in IBM InfoSphere Information Server, which could be exploited by an...

Vulnerability fixed in Kibana

A vulnerability has been fixed in Kibana. The vulnerability allows an authenticated malicious person to perform a Cross-Site Scripting attack on users with higher privileges within the application. Elastic has made version 7.17.0 available for Kibana to fix the vulnerability. For more information...

CVE-2021-22149

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users...

Cross site scripting

CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users...