Lucene search
K

6682 matches found

NVD
NVD
added 2026/04/01 10:16 p.m.2 views

CVE-2026-34561

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Social Media Management. Multiple...

8.4CVSS0.00229EPSS
Exploits1References2
OSV
OSV
added 2026/04/01 10:6 p.m.6 views

GHSA-R33W-C82V-X5V7 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Blogs Posts Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Categories Description The application fails to properly sanitize user-controlled input wh...

9.1CVSS6.2AI score0.00269EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/01 10:4 p.m.4 views

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS via the backup filename field during backup upload and processing. An attacker can execute arbitrary JavaScript in the browsers of privileged user...

9.1CVSS6AI score0.00269EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/01 10:2 p.m.3 views

EUVD-2026-18073

CI4MS: System Settings Social Media Management Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS...

4.7CVSS5.8AI score0.00229EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/01 9:54 p.m.8 views

CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM Blind XSS via Logs Interface Rendering Administrative Context Execution - Stored Cross-Site Scripting Blind XSS via Unsafe Rendering of User-Controlled Logged Data Description The application renders user-controlled input unsafely within the logs interface. If an...

9.1CVSS6.2AI score0.0038EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/01 9:54 p.m.9 views

GHSA-R4V5-RWR2-Q7R4 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM Blind XSS via Logs Interface Rendering Administrative Context Execution - Stored Cross-Site Scripting Blind XSS via Unsafe Rendering of User-Controlled Logged Data Description The application renders user-controlled input unsafely within the logs interface. If an...

9.1CVSS6.2AI score0.0038EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/01 9:54 p.m.3 views

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS in the logs rendering process. An attacker can execute arbitrary JavaScript in the browser context of an administrator by injecting a malicious...

9.1CVSS6AI score0.0038EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/01 9:28 p.m.4 views

CVE-2026-34568

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a...

9.1CVSS5.7AI score0.00317EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/01 4:41 a.m.4 views

CVE-2026-5281

Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. Chromium security severity: High...

8.8CVSS6.2AI score0.05036EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/04/01 3:31 a.m.13 views

EUVD-2026-17739

XenForo before 2.3.9 is vulnerable to stored cross-site scripting XSS related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References3
NVD
NVD
added 2026/04/01 1:16 a.m.5 views

CVE-2026-35054

XenForo before 2.3.9 is vulnerable to stored cross-site scripting XSS related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content...

6.4CVSS0.00138EPSS
Exploits0References2
CVE
CVE
added 2026/04/01 12:30 a.m.23 views

CVE-2026-35054

XenForo before 2.3.9 is affected by a stored XSS flaw in BB code rendering. An attacker can inject malicious scripts via BB code that get stored and executed when other users view the content. The issue is addressed in the XenForo 2.3.9 security fix. Remediation: upgrade to version 2.3.9 or apply...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/01 12:30 a.m.28 views

CVE-2026-35054 XenForo Stored Cross-Site Scripting via BB Code Rendering

XenForo before 2.3.9 is vulnerable to stored cross-site scripting XSS related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content...

6.4CVSS0.00138EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/01 12:30 a.m.4 views

CVE-2026-35054 XenForo Stored Cross-Site Scripting via BB Code Rendering

XenForo before 2.3.9 is vulnerable to stored cross-site scripting XSS related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/01 12:30 a.m.2 views

CVE-2026-35054

XenForo before 2.3.9 is vulnerable to stored cross-site scripting XSS related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/04/01 12:0 a.m.8 views

CI4MS 跨站脚本漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.31.0.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the application’s insecure rendering of user-controlled input in the log interface. If any stored cross-site...

9.1CVSS5.6AI score0.0038EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/04/01 12:0 a.m.7 views

Xenforo 跨站脚本漏洞

Xenforo is a forum software developed by the Xenforo company. Versions of XenForo prior to 2.3.9 had a cross-site scripting vulnerability. This vulnerability stemmed from the BB code rendering, which contained a stored-cross-site scripting flaw, potentially allowing attackers to inject malicious...

6.4CVSS5.7AI score0.00138EPSS
Exploits0References2
OSV
OSV
added 2026/03/31 11:12 p.m.2 views

GHSA-3H6J-9X8M-RG3G Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config

Summary Graby's cleanupXss function configures htmLawed with conflicting settings: safe=1 which removes combined with 'elements' = '+iframe-meta' which re-enables . htmLawed does not sanitize the srcdoc attribute, allowing injection of arbitrary JavaScript that executes when the content is render...

5.3CVSS6AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/31 10:48 p.m.7 views

phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor

Summary An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 quoted local part yet contains raw HTML — for example "alert1"@evil.com. PHP's FILTERVALIDATEEMAIL accepts this email as valid. The email is stored in the database without HTM...

6.4CVSS5.9AI score0.00262EPSS
Exploits1References4Affected Software2
NVD
NVD
added 2026/03/31 9:16 p.m.7 views

CVE-2026-34366

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery SSRF vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes...

8.1CVSS0.00245EPSS
Exploits1References2
Rows per page
Query Builder