Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.9.0 had a cross-site scripting vulnerability. This vulnerability stemmed from the AccountPending.svelte component using marked.parse to render...

EUVD-2026-27530

The Item history widget in Zabbix 7.0+ or the Plain text widget in Zabbix 6.0 can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would...

CVE-2026-23928

The Item history widget in Zabbix 7.0+ or the Plain text widget in Zabbix 6.0 can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would...

PT-2026-36905

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1 Description An unauthenticated attacker can register a malicious MCP OAuth client using a crafted client name. If a victim user authorizes the OAuth conse...

DarKSward

DarKSward-DarKSword Webpack source code reconstruction of the...

CVE-2021-22888

Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the status parameter of campaign-zone-zones.php. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScri...

CVE-2025-9981 Multiple Stored XSS in QuickCMS

QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality sliders-form. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. T...

EUVD-2024-46153

Malicious code in bioql PyPI...

CVE-2024-52583 WesHacks code includes links to Leostop tracking spyware infested files

The WesHacks GitHub repository provides the official Hackathon competition website source code for the Muweilah Wesgreen Hackathon. The page schedule.html before 17 November 2024 or commit 93dfb83 contains links to Leostop, a site that hosts a malicious injected JavaScript file that occurs when...

WesHacks 安全漏洞

WesHacks is a hackathon website by the individual developer Shahm Najeeb. A security vulnerability exists in versions of WesHacks prior to 17/11/2024, which stems from the site hosting maliciously injected JavaScript files...

CVE-2024-37297

CVE-2024-37297 affects WooCommerce on WordPress. An XSS flaw introduced in 8.8 can be triggered by crafting a link that injects HTML/JavaScript into classic checkout and registration forms via Sourcebuster.js, potentially allowing an attacker to hijack browser content and session data. The vulner...

PT-2024-5546 · Antiphish · Antiphish

Name of the Vulnerable Software and Affected Versions: Antiphish affected versions not specified Description: The issue is related to the lack of protection for the web page structure in the Antiphish software, which is used for training employees in information security skills. This can be...

Magento Open Source allows Cross-Site Scripting (XSS)

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse...

Popup Builder < 4.2.3 - Unauthenticated Stored XSS

Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. PoC 1 Create a popup using the plugin 2 Run the following curl command, switching $POPUPID with that popup's ID: curl --url...

PT-2023-21917

Name of the Vulnerable Software and Affected Versions Openfind Mail2000 affected versions not specified Description The issue arises from insufficient filtering of special characters in email content by the content filtering function. A remote attacker can exploit this by sending phishing emails...

PT-2023-7397 · Splunk · Splunk App For Lookup File Editing

Name of the Vulnerable Software and Affected Versions: Splunk App for Lookup File Editing versions prior to 4.0.1 Description: The issue allows a user to insert potentially malicious JavaScript code into the app, causing it to run on the user's machine. This does not require the app itself to...

Cross site scripting

Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a...

CVE-2021-22889

Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the statsBreakdown parameter of stats.php and possibly other scripts due to single quotes not being escaped. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking...

Victor CMS 'comment_author' Cross-Site Scripting Vulnerability

Victor CMS is a PHP-based content management system CMS. Victor CMS 'commentauthor' cross-site scripting vulnerability. An attacker can insert malicious js code into a page to obtain user cookies and other information, leading to user hijacking...

WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting

Exploit Title: WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting Dork: intext:"Fruitful theme by fruitfulcode Powered by: WordPress" intext:"Comment" intext:"Leave a Reply" Date: 2020-02-14 Category : Webapps Software Link: https://downloads.wordpress.org/theme/fruitful.3.8.zip Vendo...