20 matches found
CVE-2026-32844
XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...
EUVD-2026-13752
XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...
CVE-2026-32844
XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...
CVE-2026-32844
XinLiangCoder php_api_doc contains a reflected XSS via list_method.php (GET parameter f) after commit 1ce5bbf. Unsanitized input is echoed to the page, enabling execution of arbitrary JavaScript in victims’ browsers. Impact cited includes session hijacking, credential theft, or malware distributi...
CVE-2026-32844 XinLiangCoder / php_api_doc Reflected XSS via list_method.php
XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...
php_api_doc 跨站脚本漏洞
phpapidoc is a PHP API documentation generation tool developed by Wally’s personal developer. phpapidoc has a cross-site scripting vulnerability, which stems from improper cleaning of the f parameter in the listmethod.php file. This vulnerability may lead to reflective cross-site scripting attack...
CVE-2021-47871 Hestia Control Panel 1.3.2 - Arbitrary File Write
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the...
CVE-2026-0843
The CVE-2026-0843 entry applies to jjjfood and jjjshop_food (up to 20260103) from jiujiujia/victor123/wxw850227, with a SQL injection in /index.php/api/product.category/index. The root cause is manipulation of the latitude parameter enabling remote exploitation. Public disclosures exist and explo...
CVE-2025-14259
A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0. Affected by this issue is some unknown functionality of the file /index.php/api.html. The manipulation of the argument catid results in sql injection. The attack may be launched remotely. The exploit has been made public and...
CVE-2019-14470
cosenary Instagram-PHP-API aka Instagram PHP API V2, as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php errordescription parameter...
GHSA-GCV6-2V9C-RJ48 Cosenary Instagram-PHP-API contains reflected XSS vulnerability
cosenary Instagram-PHP-API aka Instagram PHP API V2, used in the UserPro plugin through 4.9.32 for WordPress, is vulnerable to cross-site scripting via the example/success.php errordescription parameter. Vulnerable code: php if isset$GET'error' echo 'An error occurred: ' . $GET'errordescription';...
Cosenary Instagram-PHP-API contains reflected XSS vulnerability
cosenary Instagram-PHP-API aka Instagram PHP API V2, used in the UserPro plugin through 4.9.32 for WordPress, is vulnerable to cross-site scripting via the example/success.php errordescription parameter. Vulnerable code: php if isset$GET'error' echo 'An error occurred: ' . $GET'errordescription';...
CVE-2019-14470
cosenary Instagram-PHP-API aka Instagram PHP API V2, as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php errordescription parameter...
Design/Logic Flaw
cosenary Instagram-PHP-API aka Instagram PHP API V2, as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php errordescription parameter...
CVE-2019-14470
The CVE-2019-14470 entry affects WordPress UserPro plugin versions up to 4.9.32, which uses the cosenary Instagram-PHP-API (V2). The vulnerability is a reflected Cross-Site Scripting (XSS) via the example/success.php error_description parameter, demonstrated by the vulnerable code path that echoe...
EasyCom For PHP 4.0.0 - Buffer Overflow (PoC)
Credits: John Page AKA Hyp3rlinX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/EASYCOM-PHP-API-BUFFER-OVERFLOW.txt + ISR: ApparitionSec Vendor: ================ easycom-aura.com Product: =========================== EASYCOM AS400 iBMI PHP API...
EasyCom For PHP 4.0.0 - Buffer Overflow (PoC)
EasyCom For PHP 4.0.0 - Buffer Overflow PoC + Credits: John Page AKA Hyp3rlinX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/EASYCOM-PHP-API-BUFFER-OVERFLOW.txt + ISR: ApparitionSec Vendor: ================ easycom-aura.com Product:...
ownCloud: owncloud.com: Allowed an attacker to force a user to change profile details. (XCSRF)
Allowed an attacker to force a user to change profile details. XCSRF A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists. There is no mitigation of Cross-Site Request Forgery XCSRF...
Shopify: Header Misconfiguration - PHP API
Hey, Your index api page auth can easily be bypassed because it doesn't use proper auth practices in its PHP core. Here is the master code from Shopify: https://github.com/Shopify/shopifyphpapi/blob/master/index.php it says: if !isset$SESSION'shop' || !isset$SESSION'token' header"Location:...
CVE-2011-5236
Moneris eSelectPlus 2.03 PHP API does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...