CVE-2026-4259

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2026-4336

The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling htmlentitydecode on postcontent during rendering in the setdisplayvariables function View.FAQ.class.php, line...

CVE-2026-35515 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and ...

CVE-2026-3108

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences...

CVE-2026-1454

Affected product: WordPress plugin “Responsive Contact Form Builder & Lead Generation Plugin” (Lead Form Builder); vulnerable in all versions up to 2.0.1. Root cause: insufficient input sanitization in lfb_lead_sanitize() (omits certain field types from its whitelist) and an overly permissive wp_...

CVE-2025-15312

Tanium addressed an improper output sanitization vulnerability in Tanium Appliance...

CVE-2025-15312

Tanium addressed an improper output sanitization vulnerability in Tanium Appliance...

CVE-2025-15312

CVE-2025-15312 describes an improper output sanitization vulnerability in Tanium Appliance (TanOS family) that affects output handling in the affected component. The public records consistently cite “improper output sanitization” as the root cause, with CVSS metrics indicating high impact to conf...

EUVD-2025-206830

Tanium addressed an improper output sanitization vulnerability in Tanium Appliance...

CVE-2025-15312 Tanium addressed an improper output sanitization vulnerability in TanOS.

Tanium addressed an improper output sanitization vulnerability in Tanium Appliance...

CVE-2025-15312

Tanium addressed an improper output sanitization vulnerability in Tanium Appliance...

PT-2026-6606

Name of the Vulnerable Software and Affected Versions Tanium Appliance affected versions not specified Description Tanium Appliance is affected by an improper output sanitization issue. This could potentially allow for unintended consequences due to unsanitized output. Recommendations At the...

CVE-2020-24592

Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization...

CVE-2020-24693

The Ignite portal in Mitel MiContact Center Business before 9.3.0.0 could allow a local attacker to view system information due to insufficient output sanitization...

PT-2025-50306

Name of the Vulnerable Software and Affected Versions HandL UTM Grabber / Tracker WordPress plugin versions prior to 2.8.1 Description The HandL UTM Grabber / Tracker WordPress plugin does not properly sanitize and escape a parameter before displaying it, resulting in a Reflected Cross-Site...

PT-2025-49803

Name of the Vulnerable Software and Affected Versions Custom Admin Menu WordPress plugin versions through 1.0.0 Description The plugin does not properly sanitise and escape a parameter before displaying it on a page, which can lead to a Reflected Cross-Site Scripting issue. This could potentially...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the upload, create, and rename features for files with HTML and SVG types, due to insufficient content-type validation and lack of output sanitization. An attacker can execute arbitrary scripts in the contex...

CVE-2025-63307

alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting XSS. The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization...

PT-2025-45330

alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting XSS. The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization...

CVE-2025-34305 IPFire < v2.29 Stored XSS via Multiple Methods in cleanhtml()

IPFire versions prior to 2.29 Core Update 198 contain multiple stored cross-site scripting XSS vulnerabilities caused by a bug in the cleanhtml function /var/ipfire/header.pl that fails to apply HTML-entity encoding to user input. When an authenticated user submits data to affected endpoints - fo...