CVE-2019-11814

An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot...

CVE-2019-11813

An issue was discovered in app/View/Elements/Events/View/valuefield.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links...

CVE-2019-11318

Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS...

CVE-2019-20212

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form...

CVE-2019-20211

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phon...

CVE-2020-7934

In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload wi...

CVE-2020-23984

Online Hotel Booking System Pro PHP Version 1.3 has Persistent Cross-site Scripting in Customer registration-form all-tags...

CVE-2020-10247

MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sightingfield.ctp...

CVE-2020-24924

A Persistent Cross-site Scripting vulnerability is found in ElkarBackup v1.3.3, where an attacker can steal the user session cookie using this vulnerability present on Policies action Name Parameter...

CVE-2024-41816

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting XSS via the ‘cooked-timer’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticate...

CVE-2023-31223

Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars...

NiceGUI has Redis connection leak via tab storage causes service degradation

Summary An unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting...

GHSA-MP55-G7PJ-RVM2 NiceGUI has Redis connection leak via tab storage causes service degradation

Summary An unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting...

CVE-2019-25291

INIM Electronics Smartliving SmartLAN/G/SI =6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving...

CVE-2025-66620 Columbia Weather Systems MicroServer Command Shell in Externally Accessible Directory

An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the fil...

CVE-2019-16333

GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting XSS in admin/theme-edit.php...

CVE-2019-12444

An issue was discovered in GitLab Community and Enterprise Edition 8.9 through 11.11. Wiki Pages contained a lack of input validation which resulted in a persistent XSS vulnerability...

CVE-2019-12830

In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to video BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue...

CVE-2019-12427

Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS via the Admin Console...

CVE-2019-16779

In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted such as by a timeout would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition...