CVE-2026-42140

The CVE covers the PlantUML Macro used in XWiki, where the vulnerability lies in the server parameter not being validated. Prior to version 2.4.1, an attacker can supply an arbitrary URL (including internal addresses) to the server parameter, causing the XWiki server to attempt to connect for ren...

CVE-2026-42140 Server-Side Request Forgery (SSRF) in PlantUML Macro via 'server' parameter

PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery SSRF. The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does...

EUVD-2026-25248

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi...

CVE-2026-5996

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313b20191024. The affected element is the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ttyserver leads to os command injection. It is possible to...

CVE-2026-1647

The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

WEB VIDEO PLATFORM 代码问题漏洞

WEB VIDEO PLATFORM is an open-source project developed by WVP-PRO, based on the GB28181-2016 standard. Version 2.7.4-20260107 and earlier of WEB VIDEO PLATFORM have code vulnerabilities. These vulnerabilities stem from operations on the parameter MediaServer.streamIp in the file...

Smoothwall Express Cross-Site Scripting Vulnerability (CNVD-2026-14285)

Smoothwall Express is Smoothwall open source a GNU/Linux-based firewall operating system . Smoothwall Express has a cross-site scripting vulnerability. The vulnerability stems from the lack of effective filtering and escaping of user-supplied data in the NTPSERVER parameter of the time.cgi...

CVE-2019-25382

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTPSERVER parameter. Attackers can send POST requests to the time.cgi endpoint with script payloads in the...

CVE-2019-25382

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTPSERVER parameter. Attackers can send POST requests to the time.cgi endpoint with script payloads in the...

CVE-2019-25382 Smoothwall Express 3.1 'time.cgi' Cross-Site Scripting

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTPSERVER parameter. Attackers can send POST requests to the time.cgi endpoint with script payloads in the...

CVE-2019-25382

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTPSERVER parameter. Attackers can send POST requests to the time.cgi endpoint with script payloads in the...

CVE-2026-1634 Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-2063 D-Link DIR-823X Web Management set_ac_server os command injection

A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/setacserver of the component Web Management Interface. The manipulation of the argument acserver results in os command injection. The attack can be launched remotely. The...

EUVD-2026-5598

A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/setacserver of the component Web Management Interface. The manipulation of the argument acserver results in os command injection. The attack can be launched remotely. The...

MedDream PACS Premium modifyEmail reflected cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2025-2263 MedDream PACS Premium modifyEmail reflected cross-site scripting XSS vulnerability January 20, 2026 CVE Number CVE-2025-57881 SUMMARY A reflected cross-site scripting xss vulnerability exists in the modifyEmail functionality of MedDream PACS Premium...

CVE-2025-13701

The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

CVE-2025-13624

The Overstock Affiliate Links plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

CVE-2025-60799

phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters 'subject', 'server', 'database', 'queryid' without proper validation or access...

EUVD-2020-2672

Malware in sbrugna...

EUVD-2011-5162

Malware in sbrugna...