CVE-2026-25496 Craft has a stored XSS in Number Prefix & Suffix Fields

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping,...

Craft CMS 跨站脚本漏洞

Craft CMS is an open-source content management system developed by Craft. Versions of Craft CMS from 4.0.0-RC1 to 4.16.17, as well as from 5.0.0-RC1 to 5.8.21, have a cross-site scripting vulnerability. This vulnerability stems from improper escaping of prefix and suffix fields during rendering,...

PT-2025-45474

Name of the Vulnerable Software and Affected Versions SourceCodester User Account Generator version 1.0 Description A Cross-Site Scripting XSS issue exists in SourceCodester User Account Generator version 1.0. This allows remote attackers to execute arbitrary JavaScript code within a user’s brows...

SourceCodester User Account Generator 安全漏洞

SourceCodester User Account Generator is an open source user account generator from SourceCodester. A security vulnerability exists in SourceCodester User Account Generator version 1.0, which stems from improper input cleanup of the Username Prefix field, and could lead to a cross-site scripting...

Leaking sensitive user information still possible by filtering on private with prefix fields

Summary Still able to leak private fields if using the tnumber prefix Details Knex query allows you to change there default prefix SqliteError: select distinct t0. from pages as t0 left join adminusers as t1 on t0.updatedbyid = t1.id where t1.password = 1 so if you change the prefix to the same a...

CVE-2023-37189

A stored cross site scripting XSS vulnerability in index.php?menu=billingrates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Name or Prefix fields under the Create New Rate module...

CVE-2023-37189

A stored cross site scripting XSS vulnerability in index.php?menu=billingrates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Name or Prefix fields under the Create New Rate module...

Cross site scripting

A stored cross site scripting XSS vulnerability in index.php?menu=billingrates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Name or Prefix fields under the Create New Rate module...

Issabel PBX 跨站脚本漏洞

Issabel PBX is a software application. A free and open source software that allows you to build communication tools for your organization. A cross-site scripting vulnerability exists in Issabel PBX version v.4.0.0-6, which originates from a vulnerability that allows attackers to execute arbitrary...

CVE-2021-34190

A stored cross site scripting XSS vulnerability in index.php?menu=billingrates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Name" or "Prefix" fields under the "Create New Rate" module...

YUNUCMS Arbitrary PHP Code Execution Vulnerability

YUNUCMS is China Yunyou YUNU network technology company of a set of open source enterprise station building content management system CMS. YUNUCMS 1.1.5 version of the statics/app/index/controller/Install.php file has a security vulnerability. A remote attacker can exploit this vulnerability by...

Arbitrary Code Execution Vulnerability in GolemCMS

GolemCMS is a PHP-based content management system CMS. An arbitrary code execution vulnerability exists in GolemCMS version 2008-12-24 and earlier. A remote attacker can execute arbitrary PHP code or obtain sensitive information by sending a direct request to the 'Table prefix' form field in...

Cosmo Arbitrary PHP Code Execution Vulnerability

Cosmo is a set of CMS Content Management System built on AngularJS and PHP. A security vulnerability exists in Cosmo version 1.0.0Beta6. The vulnerability can be exploited to execute arbitrary PHP code via the Database Prefix field in the Database Info screen on the localhost/Cosmo/install.php li...