CVE-2025-58361

Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect against XSS. User-controlled URLs pass through src/utils/validation.ts, but the check only strips javascript: a...

CVE-2025-53931

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting XSS vulnerability was identified in the adicionarraca.php endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject...

PT-2025-27597 · WordPress · Magic Buttons For Elementor

Name of the Vulnerable Software and Affected Versions: Magic Buttons for Elementor plugin for WordPress versions up to, and including, 1.0 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the...

CVE-2024-7090

The LH Add Media From Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘lhaddmediafromurl-fileurl’ parameter in all versions up to, and including, 1.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers ...

CVE-2025-3527

CVE-2025-3527 concerns the EventON Pro WordPress plugin (WordPress Virtual Event Calendar Plugin) up to version 4.9.6. The issue is a missing capability check in assets/lib/settings/settings.js that allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scri...

CVE-2025-32974

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page...

CVE-2024-1768

The Clever Fox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's info box block in all versions up to, and including, 25.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

PT-2024-28261 · WordPress · The Royal Elementor Addons/Templates

Name of the Vulnerable Software and Affected Versions: The Royal Elementor Addons and Templates plugin for WordPress versions up to, and including, 1.3.971 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes like accordion title tag i...

PT-2024-2235 · Adobe · Experience Manager

Name of the Vulnerable Software and Affected Versions: Adobe Experience Manager versions 6.5.19 and earlier Description: The issue is a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript m...

PT-2024-14103 · Hertzbeat · Hertzbeat

Name of the Vulnerable Software and Affected Versions: Hertzbeat versions prior to 1.4.1 Description: Hertzbeat is a real-time monitoring system. In CalculateAlarm.java, AviatorEvaluator is used to directly execute the expression function, and no security policy is configured, resulting in...

PT-2024-20260 · Unknown · Springboot-Manager

Name of the Vulnerable Software and Affected Versions: springboot-manager version 1.6 Description: The issue is related to Cross Site Scripting XSS via the "/sysContent/add" API endpoint. This allows for potential malicious script injection. No information is provided about the estimated number o...

PT-2023-19169 · WordPress · Joel James Lazy Social Comments

Name of the Vulnerable Software and Affected Versions: Joel James Lazy Social Comments plugin versions = 2.0.4 Description: The issue is related to an Authenticated Stored Cross-Site Scripting XSS vulnerability. This means that an attacker with admin access can inject malicious scripts into the...

PT-2022-27783 · Microweber · Microweber

Name of the Vulnerable Software and Affected Versions: microweber/microweber versions prior to 1.3.2 Description: The issue is related to Cross-site Scripting XSS - Reflected, which occurs when an application includes user input in its responses without proper validation, allowing an attacker to...

Apple Safari and Apple iOS Safari Reader Cross-Site Scripting Vulnerability

Apple Safari and Apple iOS are both products of Apple Inc. Apple Safari is a web browser that is the default browser that comes with the MacOSX and iOS operating systems. apple iOS is a suite of operating systems developed for mobile devices. safari Reader is one of the reader components. Safari...

Security Bulletin MS02-030: Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)

---------------------------------------------------------------------- Title: Unchecked Buffer in SQLXML Could Lead to Code Execution Q321911 Date: 12 June 2002 Software: Microsoft SQLXML Impact: Two vulnerabilities, the most serious of which could run code of attacker's choice. Max Risk:...