GHSA-XVHC-GM7J-MHMC Shopware: Stored XSS via SVG file upload — no SVG sanitization

SVG files are in the allowedextensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript onload, , executes in the context of the Shopware domain when accessed. The Problem...

PT-2026-46874

SVG files are in the allowed extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript onload, , executes in the context of the Shopware domain when accessed. The Proble...

EUVD-2026-18304

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the remark parameter to /cgi-bin/xtaccess.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

CVE-2026-34809

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the remark parameter to /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

CVE-2026-32139

Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as...

CVE-2026-3572 iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field

The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing...

CVE-2026-32139

DataEase is an open-source data visualization tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. Backend validation only checks that the XML is parseable and that the root node is svg, and does not sanitize active content (e.g., onload/onerror event ha...

CVE-2026-1915

CVE-2026-1915 concerns the WordPress plugin Simple Plyr (

PT-2026-7835

Name of the Vulnerable Software and Affected Versions Wix affected versions not specified Description A Reflected Cross-Site Scripting XSS issue exists in the Wix web application. The vulnerability is located in the SVG image upload functionality at the...

ConnectWise PSA security vulnerabilities

ConnectWise PSA is a professional service automation software developed by ConnectWise in the United States. Versions of ConnectWise PSA prior to 2026.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of output encoding for Time Entry notes in the Time Entry Audit...

PT-2026-2822

Name of the Vulnerable Software and Affected Versions GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress versions through 1.1.7 Description The software is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output...

CVE-2026-0627 AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes tags while allowing other XSS vectors such as event handlers onload,...

CVE-2025-13159

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint floformsubmit without proper...

EUVD-2021-11341

Malware in sbrugna...

CVE-2025-9883

The CVE-2025-9883 entry concerns the WordPress plugin Browser Sniff (versions

PT-2025-5945 · Unknown · Facilita Form Tracker

Name of the Vulnerable Software and Affected Versions: Facilita Form Tracker versions 1.0 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS in Facilita Form Tracker. This means an attacker can trick a user into performing unintended actio...

Cross-site Scripting (XSS)

pscontactinfo is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of formatted addresses, which allows stored script execution when combined with third-party modules...

PT-2025-4599 · Wegia · Wegia

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.2.6 Description: A Stored Cross-Site Scripting XSS vulnerability was identified in the informacao adicional.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into...

PT-2024-34786 · Seo Free · Seo Free

Name of the Vulnerable Software and Affected Versions: Seo Free versions n/a through 1.4 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, and also stor...

Dassault Systèmes 3DEXPERIENCE 跨站脚本漏洞

Dassault Systèmes 3DEXPERIENCE is a business and innovation platform from Dassault Systèmes France. A cross-site scripting vulnerability exists in Dassault Systèmes 3DEXPERIENCE version R2024x, which stems from susceptibility to a stored cross-site scripting attack that allows an attacker to...