105163 matches found
EUVD-2026-31182
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientJF.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into a JavaScript variable assignment. Attackers...
CVE-2026-35010
Open ISES Tickets before 3.44.2 is affected by a reflected XSS in patient_JF.php via the ticket_id GET parameter, where an unsanitized value leads to arbitrary JavaScript execution in an authenticated user’s browser. The issue is triggered by visiting a crafted URL containing a JavaScript payload...
CVE-2026-35010
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientJF.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into a JavaScript variable assignment. Attackers...
CVE-2026-35010 Open ISES Tickets < 3.44.2 Reflected XSS via patient_JF.php ticket_id Parameter
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientJF.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into a JavaScript variable assignment. Attackers...
CVE-2026-35009 Open ISES Tickets < 3.44.2 Reflected XSS via add_note.php ticket_id Parameter
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in addnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into a hidden input field VALUE attribute. Attacker...
CVE-2026-35009
Open ISES Tickets prior to 3.44.2 is affected by a reflected XSS in add_note.php via the ticket_id GET parameter. An attacker who is authenticated can craft a URL containing a JavaScript payload in ticket_id, which is then injected into a hidden input VALUE attribute and can execute in the victim...
EUVD-2026-31180
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in addnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into a hidden input field VALUE attribute. Attacker...
CVE-2026-35008 Open ISES Tickets < 3.44.2 Reflected XSS via single.php ticket_id Parameter
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into an HTML attribute. Attackers can craft a...
CVE-2026-35008 Open ISES Tickets < 3.44.2 Reflected XSS via single.php ticket_id Parameter
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into an HTML attribute. Attackers can craft a...
CVE-2026-35008
CVE-2026-35008 affects Open ISES Tickets prior to version 3.44.2. The vulnerability is a reflected XSS in single.php where an unsanitized ticket_id GET parameter is echoed into an HTML attribute, enabling an authenticated attacker to inject arbitrary JavaScript via a crafted URL. Impact is descri...
EUVD-2026-31176
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into an HTML attribute. Attackers can craft a...
CVE-2026-35007
Open ISES Tickets
CVE-2026-35007
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in singleunit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id GET parameter directly into an HTML attribute. Attackers can craft a maliciou...
EUVD-2026-31175
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in singleunit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id GET parameter directly into an HTML attribute. Attackers can craft a maliciou...
Race Condition
Overview Affected versions of this package are vulnerable to Race Condition via the ParameterAnalysis process in server mode. An attacker can cause the application to crash or become unresponsive by sending crafted requests that trigger a closed-channel write. Remediation Upgrade...
GO-2026-4999 Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode) in github.com/hahwul/dalfox
Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in ParameterAnalysis server mode in github.com/hahwul/dalfox...
CVE-2026-23734 XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The...
CVE-2026-23734 XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The...
CVE-2026-23734
XWiki Platform suffers a Path Traversal vulnerability in which configuration files can be read via the resources parameter on the ssx and jsx endpoints using a leading slash (e.g., /../../WEB-INF/xwiki.cfg). Affected releases:
CVE-2026-7613
The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata0costofgoodsvalue' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...