65 matches found
EUVD-2026-28811
Insufficient input validation of the plugin parameter of the createuser plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user...
CVE-2026-29202
Insufficient input validation of the plugin parameter of the createuser plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user...
CVE-2026-29202
Insufficient input validation of the plugin parameter of the createuser plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user...
CVE-2026-29202
Insufficient input validation of the plugin parameter of the createuser plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user...
CVE-2026-29202
Insufficient input validation of the plugin parameter of the createuser plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user...
CVE-2026-29202
The CVE-2026-29202 issue affects cPanel & WHM through Insufficient input validation of the plugin parameter in the create_user plugin, enabling arbitrary Perl code execution under the authenticated user’s system account. Affected component: the create_user plugin’s plugin parameter handling. Root...
cPanel 输入验证错误漏洞
cPanel is a web-based automated hosting platform developed by cPanel Inc. This platform is primarily used for automating the management of websites and servers. cPanel has a vulnerability related to input validation errors, which stem from insufficient input validation in the plugin parameter...
Missing Authentication for Critical Function
Overview arelle-release is an An open source XBRL platform. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the plugins parameter in the /rest/configure endpoint, which is processed without authentication or authorization. An attacker can execu...
CVE-2026-42796
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file...
CVE-2026-34787
CVE-2026-34787 affects Emlog up to version 2.6.2. An LFI exists in admin/plugin.php (line 80) where the GET parameter $plugin is directly used in a require_once path without sanitization. If a CSRF bypass is possible, an attacker could include arbitrary PHP files from the server filesystem, enabl...
CVE-2026-34787 Emlog: Local File Inclusion in plugin.php via unsanitized plugin parameter
Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion LFI vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a requireonce path without proper sanitization. If the CSRF token check can ...
GHSA-PM37-62G7-P768 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
Summary The YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the framework's input filter lists defined in security.php, so it passes through...
EUVD-2026-16752
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page...
Cross-site Scripting (XSS)
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS via the plugin parameter in plugin/YPTWallet/plugins/YPTWalletStripe/confirmButton.php. An attacker can execute arbitrary JavaScript in a...
CVE-2026-34375
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the...
CVE-2026-34375
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the...
CVE-2026-34375 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the...
CVE-2026-34375
CVE-2026-34375 : WWBN AVideo
CVE-2026-34375
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the...
CVE-2026-34375 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the...