2830 matches found
CVE-2026-49210
Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml interpolates the client-controlled childrenid.tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly in...
CVE-2026-49216 Symfony UX: XSS in symfony/ux-autocomplete via unescaped AJAX response data
Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, the Stimulus controller in symfony/ux-autocomplete renders AJAX response items in createAutocompleteWithRemoteData by interpolating the text field into HTML template literals $itemlabelField rather than text,...
CVE-2026-49216
CVE-2026-49216 (Symfony UX Autocomplete) : The Stimulus controller in symfony/ux-autocomplete renders AJAX response items by interpolating item[labelField] directly into HTML, causing stored XSS when values come from user-supplied content. Affected: 2.2.0 through 2.36.0 and 3.1.0. Impact is that ...
CVE-2026-49211
The CVE-2026-49211 issue affects Symfony UX Autocomplete for Doctrine EntitySearchUtil::addSearchClause(), which builds a LIKE expression by wrapping the client query in %...% without escaping SQL LIKE wildcards. This allows unauthenticated users to turn the public BaseEntityAutocompleteType endp...
CVE-2026-49211 Symfony UX: Information exposure via unescaped LIKE wildcards in EntitySearchUtil
Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping SQL LIKE wildcards %...
CVE-2026-10525
The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting...
CVE-2026-46512 Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fmdialplanapply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensionscustom.conf while only...
CVE-2026-46512 Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fmdialplanapply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensionscustom.conf while only...
CVE-2026-46686
Emlog is an open source website building system. In 2.6.13 and earlier, the admin backend user search module's keyword parameter from admin/user.php is processed with addslashes but not HTML-escaped before being rendered into the value attribute in admin/views/user.php, allowing reflected...
CVE-2026-46686 Emlog Reflected Cross-Site Scripting
Emlog is an open source website building system. In 2.6.13 and earlier, the admin backend user search module's keyword parameter from admin/user.php is processed with addslashes but not HTML-escaped before being rendered into the value attribute in admin/views/user.php, allowing reflected...
CVE-2026-59859
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote in Writers/StringExtensions.cs without escaping $...
CVE-2026-59859 Kiota: Code Generation Literal Injection in the PHP Generator
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote in Writers/StringExtensions.cs without escaping $...
CVE-2026-12978
The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted pag...
CVE-2026-52887
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filterlatestMsgReceiveTimestamp$lt value was inserted into a...
ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input
A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting XSS by providing untrusted input to the Address6 constructor. When an application renders the output of...
CVE-2026-47730
Twig is a template language for PHP. From 3.0.0 until 3.26.0, Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate and Profile::getName into HTML output without escaping, allowing attacker-controlled template or profile names to inject arbitrary HTML when a browser renders the profiler dum...
CVE-2026-47730
Twig: XSS in Twig\Profiler\Dumper\HtmlDumper allows attacker-controlled template/profile names to inject HTML in profiler output due to unescaped getTemplate()/getName() data. Affects Twig 3.0.0–3.26.0; fixed in 3.26.0 by escaping these values via htmlspecialchars(). No exploit details provided b...
CVE-2026-47730 Twig: XSS in profiler HtmlDumper via unescaped template and profile names
Twig is a template language for PHP. From 3.0.0 until 3.26.0, Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate and Profile::getName into HTML output without escaping, allowing attacker-controlled template or profile names to inject arbitrary HTML when a browser renders the profiler dum...
CVE-2026-46628 Twig: The `spaceless` filter implicitly marks its output as safe
Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0...
CVE-2026-58500
MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector...