📄 Wagtail CMS 6.4.1 Cross Site Scripting

Wagtail CMS version 6.4.1 is vulnerable to a persistent cross site scripting vulnerability in the document upload functionality. An attacker can embed a malicious payload inside a PDF file. When the uploaded document is accessed via the CMS interface, the payload may execute in the context of the...

CVE-2026-0483

CVE-2026-0483 is a stored XSS in Live Helper Chat’s PDF file upload for versions before 4.72. An attacker can upload a malicious PDF containing an XSS payload; when a user downloads and opens the file via the app’s link, arbitrary JavaScript executes in the user’s context. Public sources (PT Secu...

CVE-2026-0927 KiviCare – Clinic & Patient Management System (EHR) <= 3.6.15 - Missing Authorization to Unauthenticated Limited Arbitrary File Upload

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload...

EUVD-2025-203097

jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users...

PT-2025-50953

Name of the Vulnerable Software and Affected Versions jshERP versions 3.5 and earlier Description The software is susceptible to a stored cross-site scripting XSS issue. Attackers can exploit this by uploading PDF files containing malicious XSS payloads. These files are then accessible through...

CVE-2025-67341

jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users...

EUVD-2024-0697

Malicious code in bioql PyPI...

CVE-2022-28599

A stored cross-site scripting XSS vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack...

CVE-2024-12871

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to session hijacking, data exfiltration, or...

Cross-site Scripting (XSS)

Zenario is vulnerable to Cross-site Scripting XSS. The vulnerability is due to allowing authenticated admin users to upload PDF files containing malicious code, which can execute when the PDF is accessed through the website...

PT-2024-5242 · Roundup · Roundup

Name of the Vulnerable Software and Affected Versions: Roundup versions prior to 2.4.0 Description: The issue is related to the lack of protection of the web page structure in the Roundup error tracking system. This allows a remote attacker to conduct cross-site scripting attacks by uploading...

PT-2024-26246 · Unknown · R-Pan-Scaffolding

Name of the Vulnerable Software and Affected Versions: r-pan-scaffolding versions 5.0 and below Description: The issue allows attackers to execute arbitrary code via uploading a crafted PDF file. This is achieved through an arbitrary file upload vulnerability. Recommendations: For versions 5.0 an...

CVE-2022-39016

Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload...

PT-2022-14196 · Gitea +1 · Gitea +1

Name of the Vulnerable Software and Affected Versions: gitea versions prior to 1.16.9 Description: The issue is related to Stored Cross-site Scripting XSS in the GitHub repository go-gitea/gitea. This occurs via unfiltered pdfs. Recommendations: For versions prior to 1.16.9, update to version...

DEBIAN-CVE-2014-1610

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in 1 the page parameter to includes/media/DjVu.php; 2 the w parameter aka width field to...

UBUNTU-CVE-2014-1610

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in 1 the page parameter to includes/media/DjVu.php; 2 the w parameter aka width field to...

Design/Logic Flaw

Opera executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a w...

Design/Logic Flaw

Mozilla Firefox executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as...

Design/Logic Flaw

Apple Safari executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated...

CVE-2009-1598

Google Chrome executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrate...