CVE-2026-53946

Ghost (Node.js CMS) is affected in versions 6.19.4–6.21.1. During post re-render, Ghost fetches image dimensions by issuing an outbound HTTP request to the URL stored on an image card, without restricting allowed hosts. An authenticated staff user who can create or edit posts could point an image...

GHSA-R33W-C82V-X5V7 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Blogs Posts Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Categories Description The application fails to properly sanitize user-controlled input wh...

Cross-site Scripting (XSS)

Overview baserproject/basercms is a Content management system based on CakePHP. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the blog post rendering process. An attacker can execute arbitrary scripts in the context of a user's browser by injecting malicious...

Team Members < 5.3.2 - Author+ Stored XSS

Description The plugin does not validate and escape some of its Team options attributes before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks. 1. Create/edit a team and...