Lucene search
K

198 matches found

NVD
NVD
added 2026/03/31 12:16 p.m.7 views

CVE-2026-4267

The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$SERVER'REQUESTURI'’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible...

7.2CVSS0.00302EPSS
Exploits0References5
EUVD
EUVD
added 2026/03/31 11:29 a.m.3 views

EUVD-2026-17397

The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$SERVER'REQUESTURI'’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible...

7.2CVSS6AI score0.00302EPSS
Exploits0References4
CVE
CVE
added 2026/03/31 11:29 a.m.18 views

CVE-2026-4267

The CVE-2026-4267 issue affects the WordPress Query Monitor plugin (versions up to 3.20.3). It allows Reflected Cross-Site Scripting via the $_SERVER['REQUEST_URI'] parameter due to insufficient input sanitization and output escaping, enabling unauthenticated attackers to inject scripts that exec...

7.2CVSS6AI score0.00302EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/31 11:29 a.m.2 views

CVE-2026-4267 Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI

The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$SERVER'REQUESTURI'’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible...

7.2CVSS6AI score0.00302EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/22 3:26 a.m.2 views

CVE-2026-4314

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the isDashboardOrProfileRequest method in the Menu Editor module using an insecure strpos check against $SERVER'REQUESTURI' to...

8.8CVSS5.9AI score0.00286EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/22 12:0 a.m.5 views

PT-2026-26965

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the isDashboardOrProfileRequest method in the Menu Editor module using an insecure strpos check against $ SERVER'REQUEST URI' t...

8.8CVSS5.9AI score0.00286EPSS
Exploits0References5
OSV
OSV
added 2026/03/19 7:37 p.m.5 views

GHSA-2XR4-CHCF-VMVF The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI

Impact The Query Monitor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'REQUESTURI' parameter in all versions up to, and including, 3.20.3 due to insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

6.1CVSS5.9AI score0.00302EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/19 7:37 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the $SERVER'REQUESTURI' parameter due to insufficient output escaping. An attacker can execute arbitrary web scripts in the context of an administrator's browser by tricking an administrator-level user into...

7.2CVSS5.8AI score0.00302EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/19 7:37 p.m.7 views

The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI

Impact The Query Monitor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'REQUESTURI' parameter in all versions up to, and including, 3.20.3 due to insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

7.2CVSS5.9AI score0.00302EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/02/18 10:7 p.m.2 views

GHSA-5PQF-54QP-32WX LibreNMS /device-groups name Stored Cross-Site Scripting

Summary /device-groups name Stored Cross-Site Scripting - HTTP POST - Request-URIs: "/device-groups" - Vulnerable parameters: "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The...

5.1CVSS5.5AI score0.00216EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/02/18 10:7 p.m.7 views

LibreNMS /device-groups name Stored Cross-Site Scripting

Summary /device-groups name Stored Cross-Site Scripting - HTTP POST - Request-URIs: "/device-groups" - Vulnerable parameters: "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The...

5.1CVSS5.5AI score0.00216EPSS
Exploits1References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/03 9:0 a.m.10 views

CVE-2025-15437

A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing a manipulation of the argument REQUESTURI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could...

5.4CVSS3.5AI score0.00242EPSS
Exploits1References1
NVD
NVD
added 2026/01/02 9:15 a.m.4 views

CVE-2025-15437

A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing a manipulation of the argument REQUESTURI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could...

5.4CVSS0.00242EPSS
Exploits1References8
Vulnrichment
Vulnrichment
added 2026/01/02 8:32 a.m.4 views

CVE-2025-15437 LigeroSmart Environment Variable cross site scripting

A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing a manipulation of the argument REQUESTURI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could...

5.1CVSS3.5AI score0.00242EPSS
Exploits1References8
Cvelist
Cvelist
added 2026/01/02 8:32 a.m.27 views

CVE-2025-15437 LigeroSmart Environment Variable cross site scripting

A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing a manipulation of the argument REQUESTURI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could...

5.1CVSS0.00242EPSS
Exploits1References8
ATTACKERKB
ATTACKERKB
added 2026/01/02 8:32 a.m.3 views

CVE-2025-15437

A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing a manipulation of the argument REQUESTURI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could...

5.1CVSS3.5AI score0.00242EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/01/02 12:0 a.m.5 views

PT-2026-1060

Name of the Vulnerable Software and Affected Versions LigeroSmart versions up to 6.1.24 Description A flaw exists in the Environment Variable Handler component of LigeroSmart. Manipulation of the REQUEST URI argument can lead to cross-site scripting. The issue may be exploited remotely. The explo...

5.1CVSS5.6AI score0.00242EPSS
Exploits1References12
CNNVD
CNNVD
added 2026/01/02 12:0 a.m.4 views

LigeroSmart 代码注入漏洞

LigeroSmart is a management platform for LigeroSmart open source. A code injection vulnerability exists in LigeroSmart versions 6.1.24 and earlier, which stems from the incorrect manipulation of the parameter REQUESTURI in the component Environment Variable Handler, and could lead to a cross-site...

5.4CVSS4.7AI score0.00242EPSS
Exploits1References8
OSV
OSV
added 2025/12/16 12:19 a.m.4 views

CVE-2025-67735 Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when HttpRequestEncod...

6.5CVSS7.2AI score0.00292EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2025/12/14 6:2 a.m.15 views

CVE-2025-9116

The WPS Visitor Counter WordPress plugin through 1.4.8 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

5.8CVSS5.9AI score0.0012EPSS
Exploits0References1
Rows per page
Query Builder