Exploit for CVE-2026-48849

CVE-2026-48849 - Stored XSS, HTML Injection & CSS Injection in...

CVE-2026-23756

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in ControllerStep.InsertSubmit and EditSubmit before being rendered by ViewStep.RenderViewSteps. An authenticated staff member can inject...

CVE-2026-7013 MaxSite CMS mail_send Plugin cross site scripting

A security vulnerability has been detected in MaxSite CMS up to 109.3. Affected by this issue is some unknown functionality of the component mailsend Plugin. The manipulation of the argument fsubject/ffiles/ffrom leads to cross site scripting. The attack can be initiated remotely. The exploit has...

CVE-2026-23756

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in ControllerStep.InsertSubmit and EditSubmit before being rendered by ViewStep.RenderViewSteps. An authenticated staff member can inject...

PT-2026-33815

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in...

CVE-2026-34975

The CVE describes a CRLF header injection vulnerability in Plunk’s SESService.ts prior to version 0.8.0. An authenticated API user could inject arbitrary email headers (e.g., Bcc, Reply-To) by embedding CRLF characters in from.name, subject, custom header keys/values, or attachment filenames, bec...

GHSA-FR88-W35C-R596 Parse Server OAuth2 authentication adapter account takeover via identity spoofing

Impact The OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token...

CVE-2025-60304

code-projects Simple Scheduling System 1.0 is vulnerable to Cross Site Scripting XSS via the Subject Description field...

EUVD-2002-1896

Malware in sbrugna...

EUVD-2002-1937

Malware in sbrugna...

EUVD-2004-1493

Malware in sbrugna...

EUVD-2008-0879

Malware in sbrugna...

EUVD-2009-3409

Malware in sbrugna...

EUVD-2025-3124

Malicious code in bioql PyPI...

EUVD-2022-37546

Malicious code in bioql PyPI...

📄 Wise-Insurance Agency Insurance Management System 1.0 Cross Site Scripting

Wise-Insurance Agency Insurance Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Exploit Title: Wise-Insurance Agency - Insurance Management System 1.0 - Stored XSS Date: 25.08.2025 Exploit Author: Emir Bulutlu Vendor:...

CVE-2024-25438

A cross-site scripting XSS vulnerability in the Submission module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function...

CVE-2022-44962

webtareas 2.4p5 was discovered to contain a cross-site scripting XSS vulnerability in the component /calendar/viewcalendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Subject field...

CVE-2020-29470

OpenCart 3.0.3.6 is affected by cross-site scripting XSS in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and the attacker can able to steal...

CVE-2017-11181

In Rise Ultimate Project Manager v1.8, XSS vulnerabilities were found in the Messaging section. Subject and Message fields are vulnerable...