CVE-2026-8172

The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors vi...

CVE-2026-55746

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to stored Cross-Site Scripting in the Personal File Storage PFS module. A folder title pfftitle is imported with the 'TXT' filter, which does not strip or encode HTML the tag check in cotimport is disabled, so an authenticated user can...

CVE-2026-41697

CVE-2026-41697 affects Spring Data Relational/JDBC/R2DBC across multiple versions (4.0.0–4.0.5; 3.5.0–3.5.11; 3.4.0–3.4.14; 3.3.0–3.3.16; 3.2.0–3.2.15; 3.1.0–3.1.14; 3.0.0–3.0.15; 2.4.0–2.4.19). The root cause is improper escaping of binding values for StringMatcher (STARTING, ENDING, CONTAINING)...

PT-2026-41359

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting XSS issue in the public product return form in Vvveb CMS. The customer order id POST parameter is inserted into the...

CVE-2026-42794

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

Linux Distros Unpatched Vulnerability : CVE-2026-44742

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

EUVD-2026-24648

The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the swiffy shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'n', 'w', 'h'. These attributes are...

PT-2026-26473

Summary WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The clean title field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to...

Adobe Experience Manager cross-site scripting vulnerability (CNVD-2026-13967)

Adobe Experience Manager AEM is a set of content management solutions that can be used to build websites, mobile applications and forms from the American company Odobie Adobe. The program supports mobile content management, marketing and sales campaign management and multi-site management. A...

GHSA-4XRR-HQ4W-6VF4 Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections

Summary The path sanitization in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. Details The tryfiles directive is used to rewrite the request uri. It accepts a list of patterns and checks if any files exist in the root that match the...

PT-2025-48111

Name of the Vulnerable Software and Affected Versions REDAXO versions prior to 5.20.1 Description REDAXO is a PHP-based CMS. A reflected Cross-Site Scripting XSS vulnerability exists in the Mediapool view where the request parameter argstypes is rendered into an info banner without HTML-escaping...

Cross-site Scripting (XSS)

Overview lightgallery is an A lightweight, customizable, modular, responsive, lightbox gallery plugin for jQuery. Affected versions of this package are vulnerable to Cross-site Scripting XSS via insufficient input sanitization and output escaping of attributes. An attacker can execute arbitrary w...

SUSE CVE-2025-58189

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information the ALPN protocols sent by the client which is not escaped...

PT-2025-34598 · Joomla +1 · Joomla! +1

Name of the Vulnerable Software and Affected Versions: Quantum Manager versions 1.0.0 through 3.2.0 Description: A stored cross-site scripting XSS issue exists in the Quantum Manager component for Joomla. File names are not properly escaped, which could allow for malicious code execution...

Linux Distros Unpatched Vulnerability : CVE-2018-10102

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Before WordPress 4.9.5, the version string was not escaped in the getthegenerator function, and could lead to XSS in a generator tag. CVE-2018-10102 Note that...

CVE-2025-8113 Ebook Store < 5.8015 - Reflected XSS via $_SERVER['REQUEST_URI']

The Ebook Store WordPress plugin before 5.8015 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

Linux Distros Unpatched Vulnerability : CVE-2023-45359

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but...

CVE-2021-24955

The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the ppgetformsbybuildertype AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue...

WordPress plugin WP Touch Slider 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-6020

The Sign-up Sheets WordPress plugin before 2.2.13 does not escape some generated URLs, as well as the $SERVER'REQUESTURI' parameter before outputting them back in attributes, which could lead to Reflected Cross-Site Scripting...