CVE-2026-1893 Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute

The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnlabel' parameter in the 'orbisiusrandomnamegenerator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-1231

The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the js Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on saveglobalsettings function and insufficient...

Pacom Unison Client 安全漏洞

Pacom Unison Client is an intelligent security management system developed by the Pacom company in the United States. Version 5.13.1 of Pacom Unison Client contains a security vulnerability. This vulnerability allows authenticated users to inject malicious scripts into report templates, potential...

Mealie 安全漏洞

Mealie is a self-hosted recipe manager and meal planner developed by Hayden in the United States. Version 3.3.1 of Mealie contains a security vulnerability. This vulnerability stems from the use of storage-oriented cross-site scripting in the recipe asset upload and media service components. It m...

CVE-2025-65480

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution...

CVE-2025-65480

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution...

CVE-2025-65480

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution...

CVE-2025-65480

CVE-2025-65480 affects Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts into Report Templates, which are executed when certain script conditions trigger, granting Remote Code Execution. Public-connected sources (Red Hat, NVD, CNNVD, and a GitHub exploit thread) confirm...

CVE-2026-24323

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality a...

CVE-2026-24323

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality a...

CVE-2026-24323

CVE-2026-24323 affects BSP applications of SAP Document Management System. An unauthenticated user can inject malicious script via user-controlled URL parameters that are not sufficiently sanitized, causing script execution in the victim’s browser. Impact is described as low for confidentiality a...

CVE-2026-24323 Multiple vulnerabilities in BSP Applications of SAP Document Management System

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality a...

CVE-2026-24323 Multiple vulnerabilities in BSP Applications of SAP Document Management System

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality a...

PT-2026-7222

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality a...

CVE-2026-1613

The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's listclass shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-15267

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btbbaccordionitem shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1643

The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if...

EUVD-2026-5737

The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wikiloops shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-0555 Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premmerce_wizard_actions' AJAX Endpoint

The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmercewizardactions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the state parameter. Thi...

CVE-2026-1401

The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...