CVE-2026-5041 code-projects Chamber of Commerce Membership Management System pageMail.php fwrite command injection

A vulnerability was identified in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is the function fwrite of the file admin/pageMail.php. The manipulation of the argument mailSubject/mailMessage leads to command injection. The attack may be initiated remotely. The...

CVE-2025-66514

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the...

Mail stored HTML injection in subject text

None...

Nextcloud: Mail stored HTML injection in subject text

A vulnerability was discovered in the mail stored HTML injection in subject text. The vulnerability allowed for arbitrary HTML code to be injected into the subject line of emails stored in the system...

Linux Distros Unpatched Vulnerability : CVE-2021-44533

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Node.js 12.22.9, 14.18.3, 16.13.2, and 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects...

CVE-2022-25813

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SST...

Insightly: Stored XSS in Email Notifcation

A stored XSS vulnerability was discovered in the email notification feature of the crm.na1.insightly.com platform. The vulnerability allowed an attacker to inject malicious code into the email subject, which was then executed when users viewed the notification. The vulnerability was caused by...

UBUNTU-CVE-2021-44533

Node.js 12.22.9, 14.18.3, 16.13.2, and 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in...

Cross site scripting

Cross-site scripting XSS vulnerability in the ThreeWP Email Reflector plugin before 1.16 for WordPress allows remote attackers to inject arbitrary web script or HTML via the Subject of an email...

CVE-2012-2572

Cross-site scripting XSS vulnerability in the ThreeWP Email Reflector plugin before 1.16 for WordPress allows remote attackers to inject arbitrary web script or HTML via the Subject of an email...

PT-2012-2798 · Whmcs · Whmcs

Name of the Vulnerable Software and Affected Versions: WHMCS version 5.03 Description: The issue allows remote attackers to inject arbitrary code into a subject field via crafted ticket data in the submitticket.php file. Note that the vendor disputes this issue, stating that some details overlap...