CVE-2026-6275

CVE-2026-6275 : The StatCounter – Free Real Time Visitor Stats WordPress plugin is vulnerable in versions up to 2.1.1 due to insufficient output escaping in the statcounter_addToTags() function, which is hooked to wp_head. It retrieves the post author’s nickname with the_author_meta() and echoes ...

Ubuntu 16.04 LTS : Smarty vulnerability (USN-8272-1)

The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8272-1 advisory. Takuya Aramaki discovered that Smarty did not properly escape JavaScript code. An attacker could possibly use this issue to conduct a cross-site scripting attack...

USN-8272-1 smarty3 vulnerability

Takuya Aramaki discovered that Smarty did not properly escape JavaScript code. An attacker could possibly use this issue to conduct a cross-site scripting attack...

USN-8272-1: Smarty vulnerability

Takuya Aramaki discovered that Smarty did not properly escape JavaScript code. An attacker could possibly use this issue to conduct a cross-site scripting attack...

PT-2026-42389

Takuya Aramaki discovered that Smarty did not properly escape JavaScript code. An attacker could possibly use this issue to conduct a cross-site scripting attack...

EEF-CVE-2026-42794 Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug

Summary Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines i...

USN-8242-2 postfixadmin vulnerability

USN-8242-1 fixed a vulnerability in CiviCRM. This update provides the corresponding fix for PostfixAdmin. Original advisory details: Takuya Aramaki discovered that Smarty, vendored in CiviCRM, did not properly escape JavaScript code. An attacker could possibly use this issue to conduct a cross-si...

USN-8242-1: CiviCRM vulnerability

Takuya Aramaki discovered that Smarty, vendored in CiviCRM, did not properly escape JavaScript code. An attacker could possibly use this issue to conduct a cross-site scripting attack...

EUVD-2026-22868

The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield on the 'userhash'...

CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

PT-2026-32092

The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get current url function, which are inserted into...

EUVD-2022-5022

Malicious code in bioql PyPI...

Fedora 37 : php-Smarty (2022-d5fc9dcdd7)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-d5fc9dcdd7 advisory. 3.1.47 - 2022-09-14 Security - Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks 454 Fixed - Fixed use ...

CVE-2023-37251

An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs...

Google Golang 代码注入漏洞

Google Golang is a static, strongly typed, compiled language from Google.The syntax of Go is close to C, but with differences in variable declarations.Go supports garbage collection.Go's parallel model is based on Tony Hall's Communicating Sequential Processes CSP, and other languages with a...

smarty Cross-site Scripting vulnerability in Javascript escaping

Impact An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the...

DEBIAN-CVE-2023-28447

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data,...

Cross site scripting vulnerability in Javascript escaping

Impact An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the...

PT-2023-21728

Name of the Vulnerable Software and Affected Versions Smarty versions prior to 3.1.48 Smarty versions prior to 4.3.1 Description The issue is related to improper escaping of JavaScript code in the Smarty template engine for PHP. An attacker could exploit this to execute arbitrary JavaScript code ...

Smarty 跨站脚本漏洞

Smarty is a PHP-based template engine that facilitates the separation of representation HTML/CSS from application logic. A cross-site scripting vulnerability exists in Smarty versions prior to 4.3.1 and 3.1.48, which stems from not properly escaping javascript code. An attacker can exploit this...