936 matches found
CVE-2025-14124
The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...
EUVD-2025-205838
A Stored Cross-Site Scripting XSS vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meetingroom parameter and executed when users visit the Conference Info page, allowing attackers...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the XML file upload. An attacker can execute arbitrary JavaScript in the context of an administrator's browser session by uploading a crafted XML file containing malicious code, which is rendered without...
Cross-site Scripting (XSS)
OWASP Java HTML Sanitizer is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization when HtmlPolicyBuilder permits noscript and style tags with allowTextIn, which allows an attacker to craft malicious CSS or HTML payloads that bypass the defined policy and execu...
CVE-2025-67849
A flaw was found in Moodle. This cross-site scripting XSS vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface...
Cross-Site Scripting (XSS)
spotipy is vulnerable to cross-site scripting XSS. The vulnerability is due to improper sanitization of the error parameter in the OAuth callback server, which allows an attacker to inject and execute arbitrary JavaScript in the user's browser during OAuth authentication...
Cross Site Scripting (XSS)
getgrav/grav is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of...
SQL Injection
nukeviet/nukeviet is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of the topicsid parameter in modules/news/admin/addtotopics.php, which allows an attacker to execute malicious SQL queries through crafted input...
SQL Injection
io.dataease, dataease-plugin-common is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of the dataSourceId parameter, which allows an attacker to inject and execute arbitrary SQL queries...
CVE-2025-9127 PX Enterprise Improper Sanitization Vulnerability
A vulnerability exists in PX Enterprise whereby sensitive information may be logged under specific conditions...
CVE-2025-9127
CVE-2025-9127 affects PX Enterprise. Multiple connected reports identify a vulnerability where sensitive information may be logged under certain conditions. From the sources, the affected product is PX Enterprise, with local access (CVSSv3.1: AV=L, AC:L, PR:L, UI:N; confidentiality impact HIGH; i...
CVE-2025-9127 PX Enterprise Improper Sanitization Vulnerability
A vulnerability exists in PX Enterprise whereby sensitive information may be logged under specific conditions...
Cross-site Scripting (XSS)
com.liferay, com.liferay.mentions.web are vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user-supplied input in name-related text fields, which allows an attacker to inject malicious scripts that execute in various widgets or apps such as comments,...
Credential Disclosure
Grype is vulnerable to credential disclosure. The vulnerability is due to improper sanitization of registry credentials in output files generated using the --file or --output json= options, which allows an attacker to obtain exposed registry credentials from the generated output files...
Cross-site Scripting (XSS)
mailgen is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization in the generatePlaintext method, which fails to remove HTML tags provided as encoded entities, allowing an attacker to inject malicious HTML or JavaScript that can execute when the resulting...
CVE-2025-12559
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
CVE-2025-12710 Pet-Manager – Petfinder <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via kwm-petfinder Shortcode
The Pet-Manager – Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...
CVE-2025-63714
Cross-Site Scripting XSS vulnerability in SourceCodester User Account Generator 1.0 allows remote attackers to execute arbitrary JavaScript code in the context of the user's browser session via crafted input in the Username Prefix field. The vulnerability exists due to improper sanitization of...
HTML Injection
mailgen is vulnerable to HTML injection. The vulnerability is due to improper sanitization of user-supplied content and Mailgen.generatePlaintextemail retaining HTML tags from input. An attacker can supply crafted content to inject HTML into generated plaintext emails...
PT-2025-44771
Name of the Vulnerable Software and Affected Versions Simple User Management System with PHP-MySQL version 1.0 Description The Simple User Management System with PHP-MySQL fails to properly sanitize user input in the Profile Section, allowing attackers to inject and execute arbitrary JavaScript...