143 matches found
EUVD-2024-48030
Malicious code in bioql PyPI...
CVE-2025-58987
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in AntoineH Football Pool football-pool allows Stored XSS.This issue affects Football Pool: from n/a through = 2.12.6...
CVE-2025-48316
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ItayXD Responsive Mobile-Friendly Tooltip responsive-mobile-friendly-tooltip allows Stored XSS.This issue affects Responsive Mobile-Friendly Tooltip: from n/a through = 1.6.6...
CVE-2025-8022
Versions of the package bun after 0.0.12 are vulnerable to Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' in the $ shell API due to improper neutralization of user input. An attacker can exploit this by providing specially crafted input that includes...
CVE-2025-54433
Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted eventid input without validation. A specially crafted eventid can result in paths outsi...
GHSA-4J66-8F4R-3PJX bun vulnerable to OS Command Injection
All versions of the package bun are vulnerable to Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' in the $ shell API due to improper neutralization of user input. An attacker can exploit this by providing specially crafted input that includes command-line...
Withdrawn Advisory: bun vulnerable to OS Command Injection
Withdrawn Advisory This advisory has been withdrawn because it does not describe a vulnerability in Bun itself. See the following rejection message from the CVE Numbering Authority: Rejected reason: Bun Shell does not invoke /bin/sh, or any other interpreter, for template literals created with th...
CVE-2025-8022
...
CVE-2025-8022
CVE-2025-8022 entry is rejected/not used and does not represent an active vulnerability.
CVE-2025-5392
The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdbtalktofront function. This is due to the function accepting user input and then passing that through calluserfunc. This makes it possible for unauthenticated...
Endress+Hauser MEAC300-FNADE4 Cross-Site Scripting Vulnerability (CNVD-2025-16357)
The Endress+Hauser MEAC300-FNADE4 is a cost-effective emissions data management computer from Endress+Hauser Vietnam. The Endress+Hauser MEAC300-FNADE4 suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of user-supplied dat...
CVE-2025-52357
Cross-Site Scripting XSS vulnerability exists in the ping diagnostic feature of FiberHome FD602GW-DX-R410 router firmware V2.2.14, allowing an authenticated attacker to execute arbitrary JavaScript code in the context of the router s web interface. The vulnerability is triggered via user-supplied...
GHSA-6F6R-M9PV-67JW iOS Simulator MCP Command Injection allowed via exec API
Command Injection in MCP Server The MCP Server at https://github.com/joshuayoes/ios-simulator-mcp/ is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. Vulnerable tool The MCP Server exposes the too...
iOS Simulator MCP Command Injection allowed via exec API
Command Injection in MCP Server The MCP Server at https://github.com/joshuayoes/ios-simulator-mcp/ is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. Vulnerable tool The MCP Server exposes the too...
CVE-2025-52573 Command Injection in MCP Server ios-simulator-mcp
iOS Simulator MCP Server ios-simulator-mcp is a Model Context Protocol MCP server for interacting with iOS simulators. Versions prior to 1.3.3 are written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. T...
WordPress Animated Buttons Cross-Site Scripting Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in WordPress Animated Buttons, which stems from insufficient cleanup and escaping of user-supplied attribute inputs in the...
CVE-2025-0193
A stored Cross-site Scripting XSS vulnerability exists in the MGate 5121/5122/5123 Series firmware version v1.0 because of insufficient sanitization and encoding of user input in the "Login Message" functionality. An authenticated attacker with administrative access can exploit this vulnerability...
CVE-2024-40519
SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by adminsmtp.php directly splicing and writing the user input data into weixin.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain...
CVE-2023-52192
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Keap Keap Official Opt-in Forms allows Stored XSS.This issue affects Keap Official Opt-in Forms: from n/a through 1.0.11...
CVE-2023-20019
A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform, Cisco BroadWorks Application Server, and Cisco BroadWorks Xtended Services Platform could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user ...