5 matches found
CVE-2026-43938 YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger YAFNET.Core/Logger/DbLogger.cs captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column...
CVE-2026-32986
Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...
CVE-2021-43991
CVE-2021-43991 affects Kentico Xperience CMS, version 13.0–13.0.43, with a persistent (stored/second‑order) XSS vulnerability. The public description notes that attacker‑supplied script content stored by the app can be retrieved and executed by other users, enabling attacks such as session hijack...
CVE-2021-43409
The “WPO365 | LOGIN” WordPress plugin up to and including version 15.3 by wpo365.com is vulnerable to a persistent Cross-Site Scripting XSS vulnerability also known as Stored or Second-Order XSS. Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data...
[KAPDA::#19] - Html Injection in vBulletin 3.5.2
KAPDA New advisory Vendor: http://www.vbulletin.com Vulnerable Version: 3.5.2 prior versions also may be affected Bug: Html Injection Second order cross site scripting Exploitation: Remote with browser Description: -------------------- vBulletin is a powerful, scalable and fully customizable foru...