CVE-2026-4146

The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘updatehref’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

CVE-2026-4146

The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘updatehref’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

CVE-2026-1316 Customer Reviews for WooCommerce <= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'media.href' parameter in all versions up to, and including, 5.97.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers if...

CVE-2026-1316

The CVE-2026-1316 entry describes a Stored XSS in the WordPress plugin Customer Reviews for WooCommerce, caused by insufficient input sanitization and output escaping in the media[].href parameter. Affected are all versions up to 5.97.0. Exploitation requires no authentication if the plugin’s Ena...

PT-2026-7838

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'media.href' parameter in all versions up to, and including, 5.97.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers if...

PT-2025-50908

The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the href parameter in the csv shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it...

Relative Path Traversal

Overview @astrojs/cloudflare is a Deploy your site to Cloudflare Workers/Pages Affected versions of this package are vulnerable to Relative Path Traversal via the href parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files readable...

PT-2024-29502 · Qwik +1 · Qwik +1

Name of the Vulnerable Software and Affected Versions: Qwik versions prior to 1.6.0 @builder.io/qwik versions prior to 1.7.3 Description: A potential mutation XSS vulnerability exists in Qwik due to improper HTML escaping on server-side rendering. This occurs because Qwik converts strings accordi...

WordPress Plugin Calculated Fields Form Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blogs on PHP and MySQL servers.WordPress plugin is an...

CVE-2022-44786

An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET requests to each application...

Maggioli SpA Appalti & Contratti 安全漏洞

Maggioli SpA Appalti & Contratti is a modular platform of Maggioli SpA. It consists of several integrated web applications to support Italian public administrations in the computerization and telematics management of their processes. A security vulnerability exists in Maggioli SpA Appalti &...

PT-2022-27309 · Unknown · Appalti & Contratti

Name of the Vulnerable Software and Affected Versions: Appalti & Contratti version 9.12.2 Description: An issue was discovered in the target web applications, allowing Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do...

Atlassian Fisheye and Crucible Cross-Site Scripting Vulnerabilities (CNVD-2019-04923)

Atlassian Fisheye and Crucible are both products of the Australian company Atlassian, Atlassian Fisheye is a suite of in-depth viewers of source code and Crucible is a suite of code review tools. A cross-site scripting vulnerability exists in the administrative linker feature in Atlassian Fisheye...

Stored XSS in administrative linker functionality through the href parameter - CVE-2018-20240

The administrative linker functionality in Atlassian Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the href parameter...

DEBIAN-CVE-2012-0908

Cross-site scripting XSS vulnerability in logout.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the linkhref parameter...

KDE Konqueror DoS

Memory exhaustion on oversized SRC and HREF parameters...

CVE-2005-4567

Multiple cross-site scripting XSS vulnerabilities in FTGate Technology formerly known as Floosietek FTGate 4.4 Build 4.4.000 Oct 26 2005 allow remote attackers to inject arbitrary web script or HTML by sending 1 the href parameter to index.fts, or the param1 parameter to 2 /domains/index.fts, 3...

CVE-2001-0198

The CVE-2001-0198 issue affects the QuickTime Player plugin 4.1.2 (Japanese). The root cause is a buffer overflow caused by a long HREF parameter in an EMBED tag, allowing remote attackers to execute arbitrary commands. Public references describe a remote buffer overflow exploit via a crafted HTM...

CVE-2001-0198

Buffer overflow in QuickTime Player plugin 4.1.2 Japanese allows remote attackers to execute arbitrary commands via a long HREF parameter in an EMBED tag...