30 matches found
CVE-2026-48950
Lack of escaping leads to an XSS vulnerability in the file management view of comtemplates...
CVE-2026-48950
CVE-2026-48950 affects Joomla! Core via the file management view in com_templates. The root cause is lack of escaping, enabling an XSS vulnerability. Multiple sources (NVD, CVE lists, and Joomla security advisory) confirm an XSS in the core component with the vulnerable entry labeled for core/com...
CVE-2026-48953 Joomla! Core - [20260707] - XSS in the generic image output layout
Lack of escaping leads to an XSS vulnerability in the generic image output layout...
CVE-2026-48953
CVE-2026-48953 affects Joomla! Core. The issue is an XSS in the generic image output layout caused by a lack of escaping in the rendering path. Affected software is Joomla! Core (security entry notes this under 2026-07-07). The root cause is input/output escaping not being applied when generating...
PT-2026-56226
Name of the Vulnerable Software and Affected Versions Joomla! Core affected versions not specified Description Lack of escaping in the generic image output layout leads to a Cross-Site Scripting XSS issue, where malicious scripts can be injected into web pages viewed by other users. Recommendatio...
GHSA-7CM9-V848-CFH2 CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
Summary The blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other...
CVE-2026-21632
Summary (CVE-2026-21632) : Joomla! Core suffers XSS due to lack of output escaping for article titles, enabling injected scripts in various article-title outputs. Connected sources confirm this affects Joomla core output paths and document titles, with multiple vendor references and CVSS-based as...
EUVD-2025-27429
Malicious code in bioql PyPI...
PT-2025-33528 · WordPress · Surbma | Recent Comments Shortcode
Name of the Vulnerable Software and Affected Versions: Surbma | Recent Comments Shortcode plugin for WordPress versions up to and including 2.0 Description: The Surbma | Recent Comments Shortcode plugin for WordPress is susceptible to Stored Cross-Site Scripting via the plugin's recent-comments...
CVE-2024-6017
The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2023-0058
The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2024-11719
The tarteaucitron-wp WordPress plugin before 0.3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2024-12282 WordPress连接微博 <= 2.5.6 - Stored XSS via CSRF
The WordPress连接微博 WordPress plugin through 2.5.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2024-8243
The WordPress/Plugin Upgrade Time Out Plugin WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2020-36731
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction function...
CVE-2024-13115
The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
PT-2024-16376 · WordPress · Fat Rat Collect
Name of the Vulnerable Software and Affected Versions: Fat Rat Collect plugin for WordPress versions up to, and including, 2.7.3 Description: The issue is related to Reflected Cross-Site Scripting due to missing escaping on a URL. This allows unauthenticated attackers to inject arbitrary web...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to missing escaping of messages and parameters. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The...
Joomla! 安全漏洞
Joomla! is a free, open source content management system from Joomla! open source. A security vulnerability exists in Joomla! versions 4.0.0 through 4.4.6 and 5.0.0 through 5.1.2, which stems from a lack of escape mechanism in the email template functionality, resulting in cross-site scripting...
CVE-2024-42489 Pro Macros Remote Code Execution via Viewpdf and similar macros
Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the CKEditor.HTMLConverter page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This...