CVE-2024-58303 FoF Pretty Mail 1.1.2 Server Side Template Injection via Email Template Settings

FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generati...

CVE-2024-58302

FoF Pretty Mail 1.1.2 is affected by a Local File Inclusion (LFI) in the Email Template Settings. The weakness allows administrative users to include arbitrary server files during email generation, enabling reading of sensitive files such as /etc/passwd. Root cause is misuse of template processin...

CVE-2024-58302 FoF Pretty Mail 1.1.2 Local File Inclusion via Email Template Settings

FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email...

XMB Forum 跨站脚本漏洞

XMB Forum is an open source forum system by XMB. A cross-site scripting vulnerability exists in XMB Forum version 1.9.12.06, which stems from persistent cross-site scripting in the template and homepage settings, which could lead to script execution by all forum users...

Emlog Cross-Site Scripting Vulnerability (CNVD-2025-24787)

Emlog is a PHP and MySQL based CMS builder. Emlog 2.5.21 and previous versions of cross-site scripting vulnerability, the vulnerability stems from the lack of effective filtering and escaping of user-supplied data in the email template settings, an attacker can exploit this vulnerability by...

CVE-2025-61597

Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting XSS via the mail template settings. Once a malicious payload is saved, any subsequent visit to the settings page in an authenticated admin context will...

CVE-2025-60447

A stored Cross-Site Scripting XSS vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to...

CVE-2025-61597

CVE-2025-61597 (Emlog) is a stored XSS vulnerability in Emlog 2.5.21 and earlier caused by HTML template injection in the mail template settings. In an authenticated admin session, saving a malicious payload can cause attacker‑controlled JavaScript to execute on subsequent visits to the settings ...

CVE-2025-0671

The Icegram Express WordPress plugin before 5.7.50 does not sanitise and escape some of its Template settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-0671

The Icegram Express WordPress plugin before 5.7.50 does not sanitise and escape some of its Template settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2023-30241 · Ec Cube +1 · Ec-Cube +1

Name of the Vulnerable Software and Affected Versions: EC-CUBE versions 3.0.0 through 3.0.18-p6 EC-CUBE versions 4.0.0 through 4.0.6-p3 EC-CUBE versions 4.1.0 through 4.1.2-p2 EC-CUBE versions 4.2.0 through 4.2.2 Description: The issue is due to improper settings of the template engine Twig...

Windows VMs can inherit the wrong driver update settings from the template

When creating a Windows VM from a template that is set to not automatically update its drivers using Windows Update, the created VM is incorrectly set to update its drivers using Windows Update...

PT-2022-3563

Name of the Vulnerable Software and Affected Versions ejs versions 3.1.6 Description The issue is related to the ejs package for Node.js, which allows server-side template injection in settingsview optionsoutputFunctionName. This can be parsed as an internal option and overwrites the...

Arbitrary Code Injection

Overview underscore is a JavaScript's functional programming helper library. Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from .templateSettings as it is not sanitized. PoC const =...

dedecms v5. 7 files contains lead to arbitrary code execution(tasteless into the background)-bug warning-the black bar safety net

Security box team www.secbox.cn today found the woven dream dedecms a code execution vulnerability, the vulnerability to execute arbitrary code caused getshell, the Affected versions:≤V5. 7SP1 official Edition2014-06-27 Overview: Security box team in the audit of the woven dream dedecms when foun...