CVE-2026-35055

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting XSS related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox...

CVE-2026-35055 XenForo Cross-Site Scripting via Lightbox in Posts

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting XSS related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox...

PT-2026-29432

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting XSS in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content...

PT-2026-29430

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting XSS related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox...

PT-2026-29632

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description The application does not properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, which is then stor...

PT-2026-29473

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

Xenforo 跨站脚本漏洞

Xenforo is a forum software developed by the Xenforo company. Versions of XenForo prior to 2.3.9 and 2.2.18 had a cross-site scripting vulnerability. This vulnerability stemmed from the use of lightboxes in posts, which allowed for cross-site scripting attacks, potentially enabling attackers to...

CVE-2025-71282

creationtimestamp| type| source ---|---|--- 2026-03-31 23:16:40+00:00| seen| https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2025-71282 2026-04-01 03:00:42+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mifp722gld2c 2026-04-01 03:18:10+00:00| seen|...

CVE-2025-71281

creationtimestamp| type| source ---|---|--- 2026-03-31 23:16:40+00:00| seen| https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2025-71281 2026-04-01 02:24:55+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mifn7345oc27 2026-04-01 03:14:55+00:00| seen|...

EUVD-2026-17263

baserCMS has a cross-site scripting vulnerability in blog posts...

baserCMS has a cross-site scripting vulnerability in blog posts

baserCMS has a cross-site scripting vulnerability in blog posts. Target baserCMS 5.2.1 and earlier versions Vulnerability Malicious Javascript may be executed in blog posts. Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more...

GHSA-JMQ3-X8Q7-J9QM baserCMS has a cross-site scripting vulnerability in blog posts

baserCMS has a cross-site scripting vulnerability in blog posts. Target baserCMS 5.2.1 and earlier versions Vulnerability Malicious Javascript may be executed in blog posts. Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more...

EUVD-2026-17257

baserCMS has an SQL injection vulnerability in its blog post functionality...

GHSA-VH89-RJPH-2G7P baserCMS has an SQL injection vulnerability in its blog post functionality

baserCMS has a SQL injection vulnerability in blog posts. Target baserCMS 5.2.2 and earlier versions Vulnerability Malicious SQL may be executed in blog posts. Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information...

baserCMS has an SQL injection vulnerability in its blog post functionality

baserCMS has a SQL injection vulnerability in blog posts. Target baserCMS 5.2.2 and earlier versions Vulnerability Malicious SQL may be executed in blog posts. Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information...

CVE-2026-30282

creationtimestamp| type| source ---|---|--- 2026-03-31 18:34:34+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3miesvzalqn2t 2026-03-31 18:58:54+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mieubjuhm622 2026-04-07 23:00:14+00:00| seen|...

CVE-2026-32725

creationtimestamp| type| source ---|---|--- 2026-03-31 18:31:07+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3miesptmlej2s 2026-03-31 18:55:53+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mieu45uy4c2g 2026-03-31 19:20:34+00:00| published-proof-of-concept|...

CVE-2026-32620

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content w...

CVE-2026-32620 Discourse: Missing post-level authorization allows whisper metadata disclosure

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content w...

CVE-2026-32620 Discourse: Missing post-level authorization allows whisper metadata disclosure

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content w...