Lucene search
+L

21 matches found

snyk
snyk
added 2026/07/06 9:29 p.m.6 views

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the CraftSupportWidget.js process. An attacker can execute arbitrary JavaScript code in the admin's control panel session by crafting a malicious GitHub issue tit...

7.4CVSS5.8AI score0.00311EPSS
Exploits0References2
nvd
nvd
added 2026/07/01 11:16 p.m.19 views

CVE-2026-55790

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types...

7.4CVSS0.00311EPSS
Exploits0References2
cve
cve
added 2026/07/01 10:57 p.m.27 views

CVE-2026-55790

Summary of CVE-2026-55790 (Craft CMS) : This is a DOM-based cross-site scripting flaw in Craft CMS. Versions affected are 5.0.0-RC1–5.9.22 and 4.0.0-RC1–4.17.15. An attacker with only a GitHub account can insert a JavaScript payload into a craftcms/cms issue title. When a Craft admin uses the Cra...

7.4CVSS5.8AI score0.00311EPSS
Exploits0References2
cvelist
cvelist
added 2026/07/01 10:57 p.m.26 views

CVE-2026-55790 Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types...

7.4CVSS0.00311EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/07/01 10:57 p.m.6 views

CVE-2026-55790

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types...

7.4CVSS5.8AI score0.00311EPSS
Exploits0References3Affected Software1
ptsecurity
ptsecurity
added 2026/07/01 12:0 a.m.16 views

PT-2026-54859

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.22 Craft CMS versions 4.0.0-RC1 through 4.17.15 Description An attacker with a GitHub account can inject a JavaScript payload into a craftcms/cms issue title. The payload executes within the control pan...

7.4CVSS5.8AI score0.00311EPSS
Exploits0References10
osv
osv
added 2026/04/04 6:3 a.m.10 views

GHSA-6P2J-742G-835F actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow

Summary External input from github.event.issue.title is used unsafely in a shell command in .github/workflows/release-candidate.yaml, allowing command injection during workflow execution. Details In .github/workflows/release-candidate.yaml, the issue title is interpolated directly into a shell...

6.5CVSS6.2AI score
Exploits0References2
github
github
added 2026/04/04 6:3 a.m.12 views

actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow

Summary External input from github.event.issue.title is used unsafely in a shell command in .github/workflows/release-candidate.yaml, allowing command injection during workflow execution. Details In .github/workflows/release-candidate.yaml, the issue title is interpolated directly into a shell...

6.2AI score
Exploits0References2Affected Software1
osv
osv
added 2026/03/20 9:47 p.m.6 views

GHSA-F67F-HCR6-94MF Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow

Summary The ZenClaw Discord Integration GitHub Actions workflow is vulnerable to shell command injection. The issue title field, controllable by any GitHub user, is interpolated directly into a run shell block via a GitHub Actions template expression. An attacker can craft an issue title containi...

10CVSS6.1AI score
Exploits0References3
github
github
added 2026/03/20 9:47 p.m.7 views

Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow

Summary The ZenClaw Discord Integration GitHub Actions workflow is vulnerable to shell command injection. The issue title field, controllable by any GitHub user, is interpolated directly into a run shell block via a GitHub Actions template expression. An attacker can craft an issue title containi...

6.1AI score
Exploits0References3Affected Software1
nvd
nvd
added 2026/03/12 2:15 a.m.4 views

CVE-2026-1182

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthorized access to confidential issue title created in public projects under certain circumstances...

4.3CVSS0.00194EPSS
Exploits0References2
euvd
euvd
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-24673

Malicious code in bioql PyPI...

5.3CVSS5.6AI score0.01269EPSS
Exploits0References4
redhatcve
redhatcve
added 2025/05/23 6:1 a.m.6 views

CVE-2023-28430

OneSignal is an email, sms, push notification, and in-app message service for mobile apps.The Zapier.yml workflow is triggered on issues types: closed i.e., when an Issue is closed. The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on...

8.1CVSS7.1AI score0.00905EPSS
Exploits1References1
redhatcve
redhatcve
added 2025/05/22 11:30 p.m.8 views

CVE-2022-1352

Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that...

5.3CVSS6.7AI score0.01269EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/05/22 4:54 p.m.8 views

CVE-2020-9382

An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget as defined by this extension via MediaWiki's widget: parser function...

5.5CVSS7AI score0.00971EPSS
Exploits1References1
veracode
veracode
added 2023/07/23 3:44 a.m.18 views

Insecure Direct Object Reference

gitlab is vulnerable to Insecure Direct Object Reference. The vulnerability allows an endpoint to reveal an issue title to the user if they craft an API call with the same issue ID...

5.3CVSS6.8AI score0.01269EPSS
Exploits0References4Affected Software1
osv
osv
added 2023/06/29 7:15 p.m.7 views

CVE-2023-30946

A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UU...

4.3CVSS5.8AI score0.00393EPSS
Exploits0References1
attackerkb
attackerkb
added 2022/05/11 3:15 p.m.6 views

CVE-2022-1352

Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that...

5.3CVSS6.2AI score0.01269EPSS
Exploits0References4Affected Software1
prion
prion
added 2022/05/11 3:15 p.m.17 views

Design/Logic Flaw

Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that...

5CVSS5.1AI score0.01269EPSS
Exploits0References3Affected Software1
debiancve
debiancve
added 2022/05/11 2:30 p.m.80 views

CVE-2022-1352

Removed by vendor...

5.3CVSS6.4AI score0.01269EPSS
Exploits0
Rows per page
Query Builder