WordPress plugin WOOD Products Filter for WooCommerce 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

CVE-2026-4313

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...

CVE-2026-4313

CVE-2026-4313 affects AdaptiveGRC. The issue is a stored XSS vulnerability in text-type fields across forms, where an authenticated attacker can replace a field value in an HTTP POST request. The server’s improper parameter validation can lead to arbitrary JavaScript execution in the victim’s bro...

CVE-2026-4313 Stored XSS in AdaptiveGRC

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...

CVE-2026-4313 Stored XSS in AdaptiveGRC

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...

PT-2026-34874

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...

AdaptiveGRC 跨站脚本漏洞

AdaptiveGRC is an enterprise-level platform for governance, risk, and compliance management developed by the Polish company AdaptiveGRC. AdaptiveGRC has a cross-site scripting vulnerability. This vulnerability stems from improper validation of text type field parameters by the server. It may allo...

CVE-2026-28784

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

Cross-site Scripting (XSS)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Cross-site Scripting XSS via the CommentsService component that lacks sanitization for stored HTML. An attacker can execute arbitrary scripts in the context of users viewing affected rich text fields by injecting...

CVE-2026-25544

Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data emails, password...

Payload SQL注入漏洞

Payload is a headless CMS and application framework built using TypeScript, Node.js, React, and MongoDB. Versions of Payload prior to 3.73.0 have a SQL injection vulnerability. This vulnerability occurs when querying JSON or richText fields, where user input is directly embedded into SQL without...

SQL Injection

Overview @payloadcms/db-sqlite is a The officially supported SQLite database adapter for Payload Affected versions of this package are vulnerable to SQL Injection when querying JSON or richText fields. An attacker can extract sensitive information and gain unauthorized access to user accounts by...

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

CVE-2025-65924

ERPNext up to 15.88.1 is affected: the system does not sanitize or remove HTML hyperlinks in fields intended for plain text. Although JavaScript is blocked, the HTML is preserved in ERP-generated PDFs, enabling injection of clickable links that users may click, potentially enabling phishing or m...

EUVD-2025-206723

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

PT-2026-5952

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rich text fields fields. An attacker can execute arbitrary scripts in the context of other users by injecting malicious HTML content. Details Cross-site scripting or XSS is a code vulnerability that occu...

CVE-2022-26205

Marky commit 3686565726c65756e was discovered to contain a remote code execution RCE vulnerability via the Display text fields. This vulnerability allows attackers to execute arbitrary code via injection of a crafted payload...