Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

Cvelist
Cvelistadded 2026/04/07 2:26 p.m.18 views

CVE-2026-35460 Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected...

4.3CVSS0.00192EPSS
Exploits1References1
CVE
CVEadded 2026/04/07 2:26 p.m.9 views

CVE-2026-35460

Papra (document management platform) is affected by an HTML injection in transactional emails prior to version 26.4.0, where user.display name is interpolated into email HTML without escaping. An attacker registering with a display name containing HTML could inject tags into verification and pass...

5.4CVSS5.9AI score0.00192EPSS
Exploits1References1Affected Software1
CNNVD
CNNVDadded 2026/04/07 12:0 a.m.6 views

Papra 安全漏洞

Papra is an open-source document management and archiving platform developed by Papra itself. Versions of Papra prior to 26.4.0 contained security vulnerabilities. These vulnerabilities stemmed from transactional email templates that directly inserted user.name into HTML without escaping or...

5.4CVSS5.8AI score0.00192EPSS
Exploits1References1
Vulnrichment
Vulnrichmentadded 2026/02/21 10:16 a.m.2 views

CVE-2026-27492 Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused

Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties such as to, subject, html, text, and attachments are not reset between sends when a single client instance is reused across multiple .send calls. This can cause properties from a...

4.7CVSS5.3AI score0.00166EPSS
Exploits0References3
NVD
NVDadded 2026/01/07 12:16 p.m.4 views

CVE-2025-13974

The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS0.003EPSS
Exploits0References4
Patchstack
Patchstackadded 2022/02/28 12:0 a.m.13 views

WordPress STEWoo – Super Transactional Emails for WooCommerce plugin <= 1.2.3 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress STEWoo – Super Transactional Emails for WooCommerce plugin versions = 1.2.3. Solution Update the WordPress STEWoo – Super Transactional Emails for WooCommerce plugin to the latest available version at...

4.1AI score
Exploits0References2Affected Software1
CNVD
CNVDadded 2019/11/06 12:0 a.m.7 views

Magento Cross-Site Scripting Vulnerability (CNVD-2019-40835)

Magento is an open source PHP e-commerce system of the United States Magento company . The system provides rights management , search engines and payment gateways and other functions. A security vulnerability exists in Magento versions prior to 1.9.4.3 and prior to 1.14.4.3. An attacker can explo...

4.8CVSS7.1AI score0.00517EPSS
Exploits0References1
Rows per page
Query Builder