PT-2026-45707

Name of the Vulnerable Software and Affected Versions Easy Cart versions prior to 1.9 Description The Easy Cart plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. This occu...

CVE-2024-58304

SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary...

CVE-2024-58304 SPA-CART CMS 1.9.0.3 Stored Cross-Site Scripting

SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary...

CVE-2024-58304

CVE-2024-58304 – SPA-CART CMS 1.9.0.3 is affected by a stored cross-site scripting vulnerability in the product description parameter. The issue allows authenticated administrators to inject JavaScript via the descr field in the product edit form, causing arbitrary code execution in the web brows...

SPA-CART CMS 跨站脚本漏洞

SPA-CART CMS is a content management system for Oleg Individual Developers. A cross-site scripting vulnerability exists in SPA-CART CMS version 1.9.0.3, which stems from the presence of stored cross-site scripting in the product description parameter that could lead to the execution of arbitrary...

CVE-2025-12334

A vulnerability was found in code-projects E-Commerce Website 1.0. Affected is an unknown function of the file /pages/productadd.php. The manipulation of the argument prodname/proddesc/prodcost results in cross site scripting. It is possible to launch the attack remotely. The exploit has been mad...

GHSA-527Q-4WQV-G9WJ bagisto has Server Side Template Injection (SSTI) in Product Description

Summary Bagisto v2.3.7 is vulnerable to Server-Side Template Injection SSTI due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions tha...

CVE-2025-62416 bagisto - Server Side Template Injection (SSTI) in Product Description

Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection SSTI due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privilege...

CVE-2025-62416 bagisto - Server Side Template Injection (SSTI) in Product Description

Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection SSTI due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privilege...

EUVD-2023-30267

Malicious code in bioql PyPI...

EUVD-2023-52278

Malicious code in bioql PyPI...

CVE-2024-40746

A stored cross-site scripting XSS vulnerability in HikaShop Joomla Component 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the description parameter of any product. The description parameter is not sanitised in the...

CVE-2023-48198

A Cross-Site Scripting XSS vulnerability in the 'product description' component within '/api/stock/products' of Grocy version = 4.0.3 allows attackers to obtain a victim's cookies...

PT-2024-29025 · Joomla · Hikashop

Name of the Vulnerable Software and Affected Versions: HikaShop Joomla Component versions prior to 5.1.1 Description: A stored cross-site scripting XSS issue allows remote attackers to execute arbitrary JavaScript in a user's web browser. This is achieved by including a malicious payload in the...

PT-2023-30723 · Grocy · Grocy

Name of the Vulnerable Software and Affected Versions: Grocy versions = 4.0.3 Description: A Cross-Site Scripting XSS issue exists in the 'product description' component within the "/api/stock/products" endpoint, allowing attackers to obtain a victim's cookies. This issue can be exploited by a...

CVE-2023-26447

CVE-2023-26447 affects Open-Xchange AppSuite’s portal upsell widget, where a product description sourced from a user-controllable jslob is inserted into the DOM without proper escaping. The underlying issue is DOM-based XSS: unescaped jslob content can execute script in the victim’s browser, pote...

Shopify: Stored XSS in /admin/product and /admin/collections

Hello Security Team, I was going through previous reports of XSS and I have found this, https://hackerone.com/reports/978125 As stated by team on this page even on https://hackerone.com/shopify?type=team under Known issues that we can now report XSS under Rich Text Editor on Product description a...

CVE-2021-22652: Advantech iView Missing Authentication RCE (FIXED)

Advantech iView versions prior to 5.7.03.6112 suffer from an instance of "CWE-306: Missing Authentication For Critical Function." This vulnerability CVE-2021-22652 has a CVSSv3 score of 9.8, which is usually CRITICAL, since it effectively allows anyone who can connect to the iView server to run...

Shopify: [h1-2102] Stored XSS in product description via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]

This is most likely going to be a duplicate, so I'll keep it short. A stored cross site scripting vulnerability exists at handshake-web-internal.shopifycloud.com through the product description field. Recruirements A shop with the Handshake plugin enabled and set-up Reproduction steps 1. Add a...

WooCommerce 3.6.4 - CSRF Bypass to Stored XSS

In WooCommerce shop managers and administrators have the ability to import insert/update products via a .csv file. Every product in WooCommerce has a product description where the shop manager can insert limited HTML, i.e. very basic HTML tags and attributes, such as the a tag in combination with...