Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Email template field. An attacker can execute arbitrary HTML or script code in the context of the user by injecting malicious content into this field. Details Cross-site scripting or XSS is a code...

CVE-2025-66437

An SSTI Server-Side Template Injection vulnerability exists in the getaddressdisplay method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.rendertemplate with a context derived from the addressdict parameter, which can be either a dictionary or a string...

Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadertemplate parameter. The script is saved within the page's frontmatter and executed...

GHSA-7G78-5G5G-MVFJ Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadertemplate parameter. The script is saved within the page's frontmatter and executed...

PT-2024-16605 · WordPress · Getwid

Name of the Vulnerable Software and Affected Versions: Getwid – Gutenberg Blocks plugin for WordPress versions up to, and including, 2.0.12 Description: The issue is related to Stored Cross-Site Scripting via the template-post-custom-field block due to insufficient input sanitization and output...

CVE-2024-25514

RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the templateid parameter at /SysManage/wftemplatechildfieldlist.aspx...

CVE-2023-36467

AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue...

Remote code execution

AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue...

CVE-2023-36467

CVE-2023-36467 concerns AWS data.all, an open-source data marketplace framework. The connected sources confirm that versions 1.2.0 through 1.5.1 are vulnerable to remote code execution when an authenticated user injects Python commands into the Template field during data pipeline configuration. T...

PT-2023-25581 · Alldata · Alldata

Name of the Vulnerable Software and Affected Versions: data.all versions 1.2.0 through 1.5.1 Description: The issue concerns remote code execution when a user injects Python commands into the Template field while configuring a data pipeline. This can only be triggered by authenticated users...

DEBIAN-CVE-2010-1645

Cacti before 0.8.7f, as used in Red Hat High Performance Computing HPC Solution and other products, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in 1 the FQDN field of a Device or 2 the Vertical Label field of a Graph Template...