1043 matches found
EUVD-2026-19275
An authenticated stored cross-site scripting XSS vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter...
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module
An authenticated stored cross-site scripting XSS vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter...
Cross-site Scripting (XSS)
Overview feehi/cms is a Feehi CMS project template. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the creation/editing process via the Title parameter. An attacker can execute arbitrary web scripts or HTML by injecting a crafted payload. Details Cross-site...
CVE-2026-31351
An authenticated stored cross-site scripting XSS vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter...
PT-2026-30652
An authenticated stored cross-site scripting XSS vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter...
CVE-2026-31351
The CVE-2026-31351 entry describes an authenticated stored XSS vulnerability in Feehi CMS v2.1.1, exploitable via crafting payloads in the Title field during creation/editing. The issue is confirmed across multiple connected sources (RH Red Hat, EUVD ENISA, GHSA advisories, NVD/NVD-linked records...
CVE-2026-5580
A vulnerability was identified in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/addvideos.php of the component Parameter Handler. The manipulation of the argument videotitle leads to sql injection. It is possible to initiate the attack remotely. The...
EUVD-2026-18995
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagetitle' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
CVE-2026-2936
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagetitle' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
CVE-2026-2936
The CVE concerns the WordPress plugin Visitor Traffic Real Time Statistics, affected up to version 8.4. It is vulnerable to Stored Cross-Site Scripting via the page_title parameter due to insufficient input sanitization and output escaping. The vulnerability allows unauthenticated attackers to in...
CVE-2026-2936 Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagetitle' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
PT-2026-30345
Name of the Vulnerable Software and Affected Versions Visitor Traffic Real Time Statistics plugin for WordPress versions up to and including 8.4 Description The Visitor Traffic Real Time Statistics plugin for WordPress is susceptible to Stored Cross-Site Scripting through the page title parameter...
SQL Injection
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to SQL Injection via the fixCleanTitle function. An attacker can access sensitive database information by injecting crafted input into the cleantitle or id parameters...
CVE-2026-33911 OpenEMR vulnerable to reflected XSS in graphs.php via title parameter
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter title is reflected back in a JSON response built with jsonencode. Because the response is served with a text/html Content-Type, the browser...
CVE-2026-33911 OpenEMR vulnerable to reflected XSS in graphs.php via title parameter
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter title is reflected back in a JSON response built with jsonencode. Because the response is served with a text/html Content-Type, the browser...
CVE-2026-33911 OpenEMR vulnerable to reflected XSS in graphs.php via title parameter
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter title is reflected back in a JSON response built with jsonencode. Because the response is served with a text/html Content-Type, the browser...
CVE-2026-33911
CVE-2026-33911 : OpenEMR prior to 8.0.0.3 is vulnerable to a reflected XSS via the POST parameter title in graphs.php. The parameter is echoed back inside a JSON response built with json_encode(), but served with content-type text/html, causing the browser to execute injected HTML/script instead ...
CVE-2026-4616
CVE-2026-4616 affects bolo-blog 2.6.4, specifically the Article Title Handler component in /console/article/. The vulnerability arises from manipulating the articleTitle argument, enabling cross-site scripting. Exploitation is remote and an exploit has been publicly released; the project was info...
bolo-solo 代码注入漏洞
Bolo-Solo is a blog system developed under the open source Bolo-Blog project. Version 2.6.4 of Bolo-Solo contains a code injection vulnerability. This vulnerability stems from incorrect handling of the parameter articleTitle in the file /console/article/. It may lead to cross-site scripting attac...
PT-2026-26825
The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweet title' parameter in the 'TwitterFeeds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...