GHSA-GQ27-FC8W-VCMP Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

Summary An unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msgwindow.php. The endpoint passes user input through htmlspecialchars, which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholder...

CVE-2026-7016

CVE-2026-7016 concerns MaxSite CMS (up to 109.3) via the ushki Plugin. The vulnerability is a Cross-Site Scripting flaw caused by improper filtering of arguments f_ushka_new/f_ushk, allowing remote exploitation. The issue has been publicly disclosed and is exploitable in practice, with the exploi...

CVE-2026-7011 MaxSite CMS Antispam Plugin plugin_antispam cross site scripting

A weakness has been identified in MaxSite CMS up to 109.3. Affected by this vulnerability is an unknown functionality of the file /admin/pluginantispam of the component Antispam Plugin. Executing a manipulation of the argument floggingfile can lead to cross site scripting. It is possible to launc...

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of the user editor, which directly rendered stored user names as HTML input value attributes without applying...

xss-vulnerable-php

XSS Vulnerable PHP Vanilla Intentionally vulnerable vanilla...

CVE-2021-47870

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting XSS vulnerability. The plugin attempts to sanitize user input using htmlspecialchars, but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary...

CVE-2021-47870

CVE-2021-47870 affects GetSimple CMS with the plugin “My SMTP Contact Plugin” v1.1.2. The stored XSS arises because input is sanitized with htmlspecialchars() but can be bypassed by escaped hex bytes, enabling arbitrary client-side code execution in an administrator’s browser when visiting a craf...

CVE-2021-47870 GetSimple CMS My SMTP Contact Plugin 1.1.2 - Stored XSS

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting XSS vulnerability. The plugin attempts to sanitize user input using htmlspecialchars, but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary...

CVE-2021-47870 GetSimple CMS My SMTP Contact Plugin 1.1.2 - Stored XSS

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting XSS vulnerability. The plugin attempts to sanitize user input using htmlspecialchars, but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary...

EUVD-2018-11198

Malware in sbrugna...

EUVD-2018-2143

Malware in sbrugna...

EUVD-2020-11780

Malware in sbrugna...

EUVD-2020-11781

Malware in sbrugna...

EUVD-2016-6046

Malware in sbrugna...

EUVD-2024-3609

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2018-10061

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENTQUOTES flag these calls occur when the htmlescape function in...

CVE-2020-19884

DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function in dbhcms\mod\mod.domain.edit.php line 119...

DEBIAN-CVE-2024-56527

An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message...

UBUNTU-CVE-2024-56527

An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message...

TCPDF 安全漏洞

TCPDF is an open source library from Tecnick. It is used to generate PDF documents and barcodes. TCPDF version before 6.8.0 has a security vulnerability , the vulnerability stems from the Error function lacks htmlspecialchars call for error messages...