184 matches found
CVE-2026-25109
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route, leading to remote code execution...
CVE-2026-25109
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route...
CVE-2019-25454
CVE-2019-25454 affects phpMoAdmin 1.1.5. The vulnerability is a stored cross-site scripting (XSS) in the collection parameter of moadmin.php, allowing unauthenticated attackers to inject and store script payloads that execute in users’ browsers when the affected page is viewed. The root cause is ...
CVE-2026-27504
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobilefront.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowi...
Serialization Injection Vulnerability
langchaincore is vulnerable to a Serialization Injection Vulnerability. The vulnerability is due to the dumps and dumpd functions not escaping user-controlled dictionaries containing the internal lc key, which allows an attacker to craft malicious input that is interpreted as a trusted LangChain...
VulnCheck KEV: CVE-2021-47795
GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection parameters to access...
CVE-2021-47795
GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection parameters to access...
CVE-2022-31794
An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 Control Center devices before 8.1A SP02 P04. The vulnerability resides in the requestTempFile function in hwview.php. An attacker is able to influence the unitName POST parameter and inject special characters such as semicolons,...
CVE-2020-12022
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An improper validation vulnerability exists that could allow an attacker to inject specially crafted input into memory where it can be executed...
PT-2026-1852
Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session...
CVE-2019-12463
An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqlirealescapestring,...
EUVD-2025-205640
Micro Registration Utility µURU is a telephone self registration utility based on asterisk. In versions up to and including commit 88db9a953f38a3026bcd6816d51c7f3b93c55893, an attacker can crafts a special federation name and characters treated special by asterisk can be injected into the Dial...
PT-2025-49931
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS.This issue affects WP eBay Product Feeds: from n/a through = 3.4.9...
PT-2025-50052
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in sizam REHub Framework rehub-framework allows Stored XSS.This issue affects REHub Framework: from n/a through = 19.9.8...
CVE-2025-63527
CVE-2025-63527 affects Blood Bank Management System 1.0. The XSS flaw exists in updateprofile.php and hprofile.php where user input is not properly sanitized/encoded, allowing injection of JavaScript via hname, hemail, hpassword, hphone, and hcity parameters. This input is rendered in the respons...
CVE-2025-20303
Cisco ISE and Cisco ISE-PIC web-based management interfaces have multiple vulnerabilities that allow an authenticated, remote attacker with at least a low-privileged account to perform a reflected XSS by injecting malicious input into specific pages. The issues stem from insufficient validation o...
CVE-2025-12642
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: Bypass access control rules Inject unsafe input into backend logic that trusts reque...
UBUNTU-CVE-2025-12642
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: Bypass access control rules Inject unsafe input into backend logic that trusts reque...
CVE-2025-12642
Lighttpd 1.4.80 is affected by an HTTP header smuggling vulnerability caused by incorrectly merging trailer fields into headers during request parsing. This can enable bypassing access controls and injecting unsafe input into backend logic that relies on headers, with potential for HTTP Request S...
PT-2025-41708
Name of the Vulnerable Software and Affected Versions HCL Unica MaxAI Assistant affected versions not specified Description HCL Unica MaxAI Assistant is susceptible to a HTML injection issue. An attacker could insert special characters that are processed client-side within the user’s session...