46 matches found
CVE-2026-40928
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...
PT-2026-34198
Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1 Description Multiple JSON endpoints under 'objects/' accept state-changing requests via $ REQUEST and $ GET without anti-CSRF tokens, origin checks, or referer checks. This allows a malicious page to perform...
EUVD-2025-31822
FuelVM is vulnerable to heap memory allocation re-use bug...
CVE-2025-9512
The Schema & Structured Data for WP & AMP WordPress plugin before 1.50 does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored XSS attacks via post comments...
CVE-2025-9512 Schema & Structured Data for WP & AMP < 1.50 - Unauthenticated Stored-XSS
The Schema & Structured Data for WP & AMP WordPress plugin before 1.50 does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored XSS attacks via post comments...
CVE-2025-9512
CVE-2025-9512 affects the WordPress plugin Schema & Structured Data for WP & AMP prior to version 1.50. The vulnerability is an unauthenticated stored XSS caused by incorrect handling of HTML tag attribute modifications in post comments, enabling an attacker to inject scripts that run in other us...
Cross-site Scripting (XSS)
knowledge-repo is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper user input validation in the post comments functionality. This allows an attacker to inject arbitrary web scripts or HTML content into the application, potentially leading to cross-site scripting XSS...
CVE-2024-26495
CVE-2024-26495 affects Friendica versions after 2023.12. The vulnerability is Cross Site Scripting (XSS) in BBCode handling for post content and comments, enabling a remote attacker to obtain sensitive information. The root cause is an XSS flaw in processing BBCode; exploitation details are not p...
WordPress 5.2.x < 5.2.19 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A potential disclosure of user email addresses. - An RCE POP Chains vulnerability. - A Cross-Site Scripting XSS vulnerability in the post link navigation block. - An issue...
WordPress 4.7.x < 4.7.27 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A potential disclosure of user email addresses. - An RCE POP Chains vulnerability. - A Cross-Site Scripting XSS vulnerability in the post link navigation block. - An issue...
WordPress 5.5.x < 5.5.13 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A potential disclosure of user email addresses. - An RCE POP Chains vulnerability. - A Cross-Site Scripting XSS vulnerability in the post link navigation block. - An issue...
WordPress 6.3.x < 6.3.2 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A potential disclosure of user email addresses. - An RCE POP Chains vulnerability. - A Cross-Site Scripting XSS vulnerability in the post link navigation block. - An issue...
Airbnb Knowledge Repo XSS In Comments
Cross-site scripting XSS vulnerability in Airbnb Knowledge Repo prior to 0.9.0 allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the post/posts/newreport.kp URI...
GHSA-XMW7-848P-P95W Airbnb Knowledge Repo XSS In Comments
Cross-site scripting XSS vulnerability in Airbnb Knowledge Repo prior to 0.9.0 allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the post/posts/newreport.kp URI...
CVE-2021-24806
The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make...
Cross-Site Scripting (XSS)
camaleoncms is vulnerable to cross-site scripting. The library does not properly sanitize the post's comment section, allowing malicious users to inject and execute malicious javascript...
Hardcoded credentials
Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the attacker will then execute in the victim user's browser...
Mail.ru: XSS in [community.my.games]
Crossite scripting in community.my.games via post comments All we say is Thank You for an Account Takeover Flaw!...
Code injection
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled...
Cross site scripting
Cross-site scripting XSS vulnerability in Airbnb Knowledge Repo 0.7.4 allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the post/posts/newreport.kp URI...