56 matches found
CVE-2026-48942 Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26
K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...
CVE-2026-48942
K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...
EUVD-2026-39438
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...
CVE-2026-48943 Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extension for Joomla < 2.26
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...
CVE-2026-48943 Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extension for Joomla < 2.26
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...
CVE-2026-48943
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...
CVE-2026-48943
Summary: CVE-2026-48943 affects K2 ≤ 2.24, specifically the K2 system user plugin plg_user_k2. A mass‑assignment defect allows a registered Joomla user to set the field K2UserForm=1 in a normal com_users profile.save POST and write arbitrary values into the notes, image, and plugins columns of th...
EUVD-2026-37985
The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the uploadattachment. This makes it possible for unauthenticated attackers to make web...
CVE-2026-42839
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the itemname, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale POS cart interface for every operator who adds that item to a transaction.This issue...
Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField
More info at https://github.com/EasyCorp/EasyAdminBundle/security/advisories/GHSA-8559-gwj3-q37r...
MAL-2026-3413 Malicious code in django-b64-img (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 f5ebdaebc61cf7a888322348e074f219519b7d09a24ab91732d8bc5061d86b2e The package provides a special image-storing field for Django REST Framework based on a legitimate implementation from the Hipo/drf-extra-fields repository. Th...
CVE-2019-25657 AnyBurn 4.3 x86 Denial of Service via Image Conversion
AnyBurn 4.3 x86 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the image conversion function. Attackers can paste a large buffer into the source or destination image file fields and click Convert Now to...
CVE-2026-27506 SVXportal <= 2.5 Profile Update Stored XSS
SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user profile update workflow usersettings.php submitting to admin/updateuser.php. Authenticated users can store malicious HTML/JavaScript in fields such as Firstname, lastname, email, and imageurl, which ar...
EUVD-2018-1605
Malware in sbrugna...
EUVD-2005-0566
Malware in sbrugna...
EUVD-2025-25374
Malicious code in bioql PyPI...
CVE-2025-48158
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field buddypress-xprofile-image-field allows Path Traversal.This issue affects BuddyPress XProfile Custom Image Field: from n/a through = 3.0.1...
CVE-2025-48158
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field buddypress-xprofile-image-field allows Path Traversal.This issue affects BuddyPress XProfile Custom Image Field: from n/a through = 3.0.1...
CVE-2025-48158 WordPress BuddyPress XProfile Custom Image Field Plugin <= 3.0.1 - Arbitrary File Deletion Vulnerability
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field buddypress-xprofile-image-field allows Path Traversal.This issue affects BuddyPress XProfile Custom Image Field: from n/a through = 3.0.1...
CVE-2025-48158 WordPress BuddyPress XProfile Custom Image Field Plugin <= 3.0.1 - Arbitrary File Deletion Vulnerability
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field allows Path Traversal. This issue affects BuddyPress XProfile Custom Image Field: from n/a through 3.0.1...