XSS in profiler HtmlDumper via unescaped template and profile names

More info at https://symfony.com/cve-2026-47730...

CVE-2026-32866 OPEXUS eComplaint and eCase stored XSS via profile first and last name

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The...

Tryton cross-site scripting vulnerabilities

Tryton is an open-source content management system developed by Tryton. Version 5.4 of Tryton contains a cross-site scripting vulnerability, which stems from improper cleaning of user profile names. This vulnerability may lead to storage-based cross-site scripting attacks...

CVE-2023-53929

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...

CVE-2023-53905

ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files...

EUVD-2023-60202

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...

GHSA-X2V3-9P22-W3X6 phpMyFAQ contains a CSV injection vulnerability

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...

EUVD-2023-60225

ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files...

CVE-2023-53929

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...

CVE-2023-53905

ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files...

CVE-2023-53929 phpMyFAQ 3.1.12 CSV Injection via User Profile Export

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...

CVE-2023-53929

Summary: CVE-2023-53929 affects phpMyFAQ 3.1.12. The vulnerability arises in the user data export workflow: an authenticated user can place CSV-injection payloads (e.g., calc|a!z|) in their profile name, which can trigger code execution when an administrator exports user data as CSV. Affected sof...

phpMyFAQ 安全漏洞

phpMyFAQ is a multilingual, fully database-driven FAQ system by the individual developer Thorsten Rinne. A security vulnerability exists in phpMyFAQ version 3.1.12, which stems from the ability of authenticated users to inject malicious formulas into their profile names, potentially leading to CS...

PT-2025-51943

Name of the Vulnerable Software and Affected Versions ProjectSend version r1605 Description ProjectSend version r1605 contains a CSV injection flaw. Authenticated users can inject malicious formulas into user profile names. An attacker can use a payload like =calc|a!z| within the name field. When...

EUVD-2006-7025

Malware in sbrugna...

CVE-2025-9489 WP-Members Membership Plugin <= 3.5.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names

The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it...

CVE-2025-9489 WP-Members Membership Plugin <= 3.5.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names

The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it...

CVE-2025-9489

CVE-2025-9489 affects the WP-Members Membership Plugin for WordPress. The vulnerability allowsAuthenticated users with Subscriber+ to execute arbitrary shortcodes via do_shortcode due to insufficient input validation in profile-related shortcode handling. Impact is arbitrary shortcode execution w...

CVE-2023-52443 apparmor: avoid crash when parsed profile name is empty

In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpackprofile described like "profile :ns::samba-dcerpcd /usr/lib/samba/,samba/samba-dcerpcd ..." a string ":samba-dcerpcd" is unpacked a...

WordPress Plugin Starbox Cross-Site Scripting Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...