3207 matches found
EUVD-2026-42290
An OS command injection vulnerability exists in the savesyslogtofile function of the "httpd" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The modelname configuration parameter is not properly sanitized, which could allow an authenticated...
CVE-2026-24700
An OS command injection vulnerability exists in the startlltd function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machinename configuration parameter is not properly sanitized, which could allow an authenticated remote...
EUVD-2026-42152
An authenticated stored cross-site scripting XSS vulnerability in the Upload File Shares API of LiquidFiles v4.2.7 allows attackers to execute arbitrary Javascript or HTML via injecting a crafted payload into the Name parameter...
CVE-2026-36162
An authenticated stored cross-site scripting XSS vulnerability in the Upload File Shares API of LiquidFiles v4.2.7 allows attackers to execute arbitrary Javascript or HTML via injecting a crafted payload into the Name parameter...
CVE-2026-36162
CVE-2026-36162 : LiquidFiles v4.2.7 contains an authenticated stored XSS in the Upload File Shares API. An attacker can inject a crafted payload into the Name parameter to execute arbitrary Javascript/HTML in the user context. CVSSv3.1 base score 5.4 (Medium); attack vector: network; privileges r...
CVE-2026-14639
A vulnerability has been found in CodeAstro Ecommerce Website 1.0. This impacts an unknown function of the file /ecommerce-website-php/customer/myaccount.php?editaccount. Such manipulation of the argument cname leads to sql injection. The attack may be launched remotely. The exploit has been...
CVE-2026-14639 CodeAstro Ecommerce Website my_account.php sql injection
A vulnerability has been found in CodeAstro Ecommerce Website 1.0. This impacts an unknown function of the file /ecommerce-website-php/customer/myaccount.php?editaccount. Such manipulation of the argument cname leads to sql injection. The attack may be launched remotely. The exploit has been...
Devolutions Server 2026.2.4 <= 2026.2.7 Credential Exposure (DEVO-2026-0020)
The version of Devolutions Server installed on the remote host is 2026.2.4 through 2026.2.7. It is, therefore, affected by a vulnerability: - Improper input validation in the PAM AD discovery endpoints allows an authenticated user with the UserGroupsView permission to coerce server-side...
CVE-2026-34104
Guardian language-system passes the name GET parameter directly into an unsanitized SQL query in designer.php line 124: SELECT FROM complex WHERE name='".$GET'name'."'. An authenticated attacker can perform error-based SQL injection to extract database contents...
CVE-2026-34096
Guardian language-system fails to sanitize the name GET parameter before outputting it into an HTML input value attribute in designer.php line 57. An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session...
CVE-2026-34104 Guardian Language-System Unauthenticated SQL Injection via name Parameter in designer.php
Guardian language-system passes the name GET parameter directly into an unsanitized SQL query in designer.php line 124: SELECT FROM complex WHERE name='".$GET'name'."'. An authenticated attacker can perform error-based SQL injection to extract database contents...
CVE-2026-34104
The CVE-2026-34104 entry describes an unauthenticated SQL injection in Guardian Language-System via the name parameter in designer.php. The flaw arises because the GET parameter name is directly inserted into an unsanitized SQL query (SELECT * FROM complex WHERE name='".$_GET['name']."'), allowin...
CVE-2026-34096 Guardian Language-System XSS via name Parameter in designer.php
Guardian language-system fails to sanitize the name GET parameter before outputting it into an HTML input value attribute in designer.php line 57. An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session...
CVE-2026-34096
Guardian Language-System XSS via name Parameter in designer.php. Root cause: failure to sanitize the name GET parameter before output into an HTML input value attribute (designer.php: line 57). Impact: authenticated attacker can craft a URL with script tags that execute in the victim’s browser se...
CVE-2026-34096
Guardian language-system fails to sanitize the name GET parameter before outputting it into an HTML input value attribute in designer.php line 57. An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session...
CVE-2026-12142
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'name' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
CVE-2026-12142
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'name' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
CVE-2026-12142
CVE-2026-12142 affects the NEX-Forms – Ultimate Forms Plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the internal parameter named '_name[]' , present in all versions up to and including 9.2.2 . Root cause: insufficient input sanitization and output escaping, co...
CVE-2026-13570
A vulnerability was detected in SourceCodester Inventory Management System 1.0. Impacted is an unknown function of the file /api/usershandler.php of the component User Registration Endpoint. Performing a manipulation of the argument fullname results in cross site scripting. The attack is possible...
CVE-2026-13570
A vulnerability was detected in SourceCodester Inventory Management System 1.0. Impacted is an unknown function of the file /api/usershandler.php of the component User Registration Endpoint. Performing a manipulation of the argument fullname results in cross site scripting. The attack is possible...