CVE-2026-37503

Cross-Site Scripting XSS in V2Board thru 1.7.4. The customhtml field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling...

CVE-2026-37503

Cross-Site Scripting XSS in V2Board thru 1.7.4. The customhtml field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling...

PT-2026-36484

Name of the Vulnerable Software and Affected Versions V2Board versions prior to 1.7.5 Description Cross-Site Scripting XSS occurs when the custom html field in the theme configuration is rendered using unescaped Blade output in the 'public/theme/v2board/dashboard.blade.php' file. An administrator...

CVE-2026-37503

CVE-2026-37503 affects V2Board up to version 1.7.4. The vulnerability arises from rendering the custom_html field in theme configuration with unescaped Blade output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API, which is then exe...

CVE-2026-37503

Cross-Site Scripting XSS in V2Board thru 1.7.4. The customhtml field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling...

V2Board 跨站脚本漏洞

V2Board is V2Board open source a multi-user agent service management panel . V2Board 1.7.4 and earlier versions have a cross-site scripting vulnerability that stems from the use of Blade unescaped output in the customhtml field in the theme configuration, which could lead to administrators...

CVE-2025-14158

CVE-2025-14158 – Coding Blocks (WordPress plugin) is a CSRF vulnerability affecting all versions up to 1.1.0. The issue arises from missing nonce validation on the settings update functionality, enabling unauthenticated attackers to forge requests that update plugin settings, including theme conf...

CVE-2025-14158 Coding Blocks <= 1.1.0 - Cross-Site Request Forgery to Settings Update

The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including th...

EUVD-2025-26148

Malicious code in bioql PyPI...

EUVD-2025-12269

Malicious code in bioql PyPI...

CVE-2025-9591

A security vulnerability has been detected in ZrLog up to 3.1.5. This vulnerability affects unknown code of the file /api/admin/template/config of the component Theme Configuration Form. Such manipulation of the argument footerLink leads to cross site scripting. The attack may be launched remotel...

CVE-2025-9591 ZrLog Theme Configuration Form config cross site scripting

A security vulnerability has been detected in ZrLog up to 3.1.5. This vulnerability affects unknown code of the file /api/admin/template/config of the component Theme Configuration Form. Such manipulation of the argument footerLink leads to cross site scripting. The attack may be launched remotel...

CVE-2025-9591 ZrLog Theme Configuration Form config cross site scripting

A security vulnerability has been detected in ZrLog up to 3.1.5. This vulnerability affects unknown code of the file /api/admin/template/config of the component Theme Configuration Form. Such manipulation of the argument footerLink leads to cross site scripting. The attack may be launched remotel...

CVE-2025-9591

CVE-2025-9591 affects ZrLog versions up to 3.1.5. The vulnerability resides in the Theme Configuration Form’s /api/admin/template/config handling, where manipulation of the footerLink parameter can trigger cross-site scripting. The attack is described as remotely exploitable with a publicly discl...

PT-2025-35148

Name of the Vulnerable Software and Affected Versions: ZrLog versions up to 3.1.5 Description: A security vulnerability exists in ZrLog, potentially allowing for cross site scripting. The vulnerability affects unknown code within the /api/admin/template/config file of the Theme Configuration Form...

CVE-2025-29621

Francois Jacquet RosarioSIS v12.0.0 was discovered to contain a content spoofing vulnerability in the Theme configuration under the My Preferences module. This vulnerability allows attackers to manipulate application settings...

RosarioSIS 安全漏洞

RosarioSIS is a free and open source student information system open sourced by Francois Jacquet. It is used to manage students, create reports and make the right decisions. A security vulnerability exists in RosarioSIS version v12.0.0 that stems from content spoofing in the theme configuration,...

PT-2025-17591 · Unknown · Rosariosis

Name of the Vulnerable Software and Affected Versions: Francois Jacquet RosarioSIS version 12.0.0 Description: The issue is related to a content spoofing vulnerability found in the Theme configuration under the My Preferences module. This allows attackers to manipulate application settings...

CVE-2025-29621

Francois Jacquet RosarioSIS v12.0.0 was discovered to contain a content spoofing vulnerability in the Theme configuration under the My Preferences module. This vulnerability allows attackers to manipulate application settings...

SUSE CVE-2005-3300

The registerglobals emulation layer in grabglobals.php for phpMyAdmin before 2.6.4-pl3 does not perform safety checks on values in the FILES array for uploaded files, which allows remote attackers to include arbitrary files by using direct requests to library scripts that do not use...