36 matches found
CVE-2026-40878
CVE-2026-40878 affects mailcow: dockerized prior to 2026-03b. The web interface passes raw $_SERVER['REQUEST_URI'] to Twig as a global variable and renders it inside a JavaScript string in setLang(), relying on Twig’s HTML escaping rather than JS escaping. Additionally, the query_string() Twig he...
PT-2026-34057
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $ SERVER'REQUEST URI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...
mailcow: dockerized 跨站脚本漏洞
mailcow: dockerized is a Dockerized version of the mailcow open-source application. Versions before 2026-03b of mailcow had a cross-site scripting vulnerability. This vulnerability stemmed from the Web interface passing the original $SERVERREQUESTURI as a global template variable to Twig, and...
EUVD-2026-9360
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...
CVE-2026-0735
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-0745
The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'downloadlanguage' function. This makes it possible for authenticated attackers, with Administrator-level access and above, ...
CVE-2026-0735
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-0735 User Language Switch <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-0735 User Language Switch <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-0735
CVE-2026-0735 corresponds to a vulnerability in WordPress Plugin User Language Switch (versions 1.6.10 or applying vendor-provided fixes. If other details (e.g., affected product/vendor, CVE scope) are necessary, they are not present in the supplied sources.
CVE-2026-0735
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-0745
CVE-2026-0745: WordPress User Language Switch plugin
CVE-2026-0745 User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter
The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'downloadlanguage' function. This makes it possible for authenticated attackers, with Administrator-level access and above, ...
CVE-2026-0745
The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'downloadlanguage' function. This makes it possible for authenticated attackers, with Administrator-level access and above, ...
WordPress plugin User Language Switch 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
PT-2026-8067
The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download language' function. This makes it possible for authenticated attackers, with Administrator-level access and above,...
PT-2026-8065
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab color picker language switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
WordPress plugin User Language Switch 代码问题漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
WordPress User Language Switch plugin <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter vulnerability
Authenticated Administrator+ Stored Cross-Site Scripting via 'tabcolorpickerlanguageswitch' Parameter vulnerability discovered by 0x34rth in WordPress Plugin User Language Switch versions = 1.6.10...
WordPress User Language Switch plugin <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter vulnerability
Authenticated Administrator+ Server-Side Request Forgery via 'infolanguage' Parameter vulnerability discovered by 0x34rth in WordPress Plugin User Language Switch versions = 1.6.10...