EUVD-2025-203006

The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14137 Simple AL Slider <= 1.2.10 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14132 Category Dropdown List <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14132

The CVE-2025-14132 entry refers to the WordPress plugin Category Dropdown List. It is a Reflected Cross-Site Scripting vulnerability exploitable via the PHP_SELF variable in all versions up to 1.0, due to insufficient input sanitization/output escaping. The Wordfence detail lists an affected prod...

CVE-2025-13894

CVE-2025-13894 refers to a Reflected Cross-Site Scripting vulnerability in the WordPress CSV Sumotto plugin (versions ≤ 1.0). The root cause is insufficient input sanitization and output escaping for the PHP_SELF server variable, allowing unauthenticated attackers to inject scripts into pages tha...

CVE-2025-13894 CSV Sumotto <= 1.0 - Reflected Cross-Site Scripting

The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-13515 Nouri.sh Newsletter <= 1.0.1.3 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Nouri.sh Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.0.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-13512 CoSign Single Signon <= 0.3.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-13434

A weakness has been identified in jameschz Hush Framework 2.0. The impacted element is an unknown function of the file Hush\hush-lib\hush\Util.php of the component HTTP Host Header Handler. This manipulation of the argument $SERVER'HOST' causes improper neutralization of http headers for scriptin...

EUVD-2005-2575

Malware in sbrugna...

CVE-2023-24814

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv uses the unfiltered server environment variable PATHINFO, which allows attackers to inject malicious content. In...

Flowise OverrideConfig security vulnerability

Impact Flowise allows developers to inject configuration into the Chainflow during execution through the overrideConfig option. This is supported in both the frontend web integration and the backend Prediction API. This has a range of fundamental issues that are a major security vulnerability...

CVE-2023-24814 Persisted Cross-Site Scripting in Frontend Rendering in typo3

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv uses the unfiltered server environment variable PATHINFO, which allows attackers to inject malicious content. In...

01ACP 跨站脚本漏洞

01ACP is a central administration area for all modules of 01-Scripts.de by Michael Individual Developer. A cross-site scripting vulnerability exists in 01ACP 01-Artikelsystem, which originates from an unknown function in the file 01article.php. Manipulation of the parameter $SERVER PHPSELF result...

Grandstream Ht801 安全漏洞

Grandstream Networks Grandstream Ht801 is a powerful analog telephone adapter from Grandstream Networks, USA. A security vulnerability exists in the Grandstream HT801 Analog Telephone Adaptor that stems from an issue found on the Grandstream HT801 Analog Telephone Adaptor. A malicious...

CVE-2021-38341

The WooCommerce Payment Gateway Per Category WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /includes/pluginsettings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.10...

D-Link DIR-859 and DIR-850L Command Injection Vulnerability

The D-Link DIR-859 is a wireless AC1750 high-power Wi-Fi Gigabit router.The D-Link DIR-850L is a wireless AC1200 dual-band Gigabit cloud router. A command injection vulnerability exists in /etc/services/DEVICE.TIME.php in the D-Link DIR-859 A3-1.06 and DIR-850L A1.13. An attacker can exploit this...

Command injection

On D-Link DIR-859 A3-1.06 and DIR-850 A1.13 devices, /etc/services/DEVICE.TIME.php allows command injection via the $SERVER variable...

PT-2019-18534 · Zoneminder +3 · Zoneminder +3

Name of the Vulnerable Software and Affected Versions: ZoneMinder versions prior to 1.32.4 Description: A Reflected Cross Site Scripting XSS issue exists due to the insecure use of $ SERVER'PHP SELF' in the form action on multiple views. This mishandles arbitrary input appended to the webroot URL...

UBUNTU-CVE-2018-10059

Cacti before 1.1.37 has XSS because the getcurrentpage function in lib/functions.php relies on $SERVER'PHPSELF' instead of $SERVER'SCRIPTNAME' to determine a page name...