Lucene search
K

17 matches found

Cvelist
Cvelist
added 2026/04/07 5:27 p.m.16 views

CVE-2026-39318 ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php

ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints /GroupPropsFormRowOps.php, /PersonCustomFieldsRowOps.php, and /FamilyCustomFieldsRowOps.php. A user has to be authenticated. For ManageGroups privileges have to be...

8.8CVSS0.0034EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.12 views

CVE-2026-33157

Craft CMS is a content management system CMS. From version 5.6.0 to before version 5.9.13, a Remote Code Execution RCE vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add...

8.6CVSS5.8AI score0.0102EPSS
Exploits1References1
NVD
NVD
added 2026/03/24 6:16 p.m.7 views

CVE-2026-33157

Craft CMS is a content management system CMS. From version 5.6.0 to before version 5.9.13, a Remote Code Execution RCE vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add...

8.6CVSS0.0102EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/24 5:22 p.m.3 views

CVE-2026-33157

Craft CMS is a content management system CMS. From version 5.6.0 to before version 5.9.13, a Remote Code Execution RCE vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add...

8.6CVSS5.8AI score0.0102EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/03/19 10:37 p.m.21 views

CVE-2026-29096 SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report AORReports module, the fieldfunction parameter from POST data is saved directly into the aorfields table without any...

8.1CVSS0.00316EPSS
Exploits0References2
NVD
NVD
added 2025/06/10 3:15 p.m.9 views

CVE-2025-26395

SolarWinds Observability Self-Hosted was susceptible to a cross-site scripting XSS vulnerability due to an unsanitized field in the URL. The attack requires authentication using an administrator-level account and user interaction is required...

7.1CVSS0.00188EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/06/10 2:41 p.m.20 views

CVE-2025-26395 SolarWinds SWOSH DOM-based reflective XSS Vulnerability

SolarWinds Observability Self-Hosted was susceptible to a cross-site scripting XSS vulnerability due to an unsanitized field in the URL. The attack requires authentication using an administrator-level account and user interaction is required...

7.1CVSS0.00188EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/22 10:25 a.m.15 views

CVE-2019-10692

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement...

9.8CVSS6.7AI score0.78699EPSS
Exploits6References1
Cvelist
Cvelist
added 2025/04/24 8:49 p.m.45 views

CVE-2025-43861 ManageWiki Vulnerable to Self-XSS in review dialog via unsanitized field reflection

ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes"...

4.4CVSS0.00214EPSS
Exploits1References2
Veracode
Veracode
added 2023/08/22 9:12 a.m.25 views

Cross Site Scripting (XSS)

Keycloak is vulnerable to Cross Site Scripting XSS. The vulnerability is due to not sanitizing the username field when the same field is displayed back to the user on the user interface through browser. The attacker can include a malicious script in the username field and make that username field...

6.4CVSS5.8AI score0.0066EPSS
Exploits0References9Affected Software1
Prion
Prion
added 2021/08/16 11:15 a.m.17 views

Cross site scripting

The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting...

3.5CVSS5.1AI score0.00656EPSS
Exploits2References1Affected Software1
Huntr
Huntr
added 2021/07/04 6:11 a.m.7 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Step to reproduce: Go to /admin/pageSettings.php?search-settings=smtp and the payload: ""@x.y in the "Senders...

5.9AI score
Exploits0
Huntr
Huntr
added 2021/07/04 5:53 a.m.6 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Step To Reproduce: Go to /invoicesview.php and click add new if you already has any item, just click it to edit...

6AI score
Exploits0
Huntr
Huntr
added 2021/07/02 1:8 a.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. 🕵️‍♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the...

0.6AI score
Exploits0
Huntr
Huntr
added 2021/07/02 1:7 a.m.10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the City field as tested on the latest release. 🕵️‍♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the City...

1AI score
Exploits0
Prion
Prion
added 2021/03/03 8:15 p.m.19 views

Design/Logic Flaw

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function Home Management Documents Add, or /front/document.form.php...

3.5CVSS5AI score0.00592EPSS
Exploits0References2Affected Software1
Exploit DB
Exploit DB
added 2014/09/20 12:0 a.m.29 views

Livefyre LiveComments Plugin - Persistent Cross-Site Scripting

Title : Stored XSS in Livefyre LiveComments Plugin CVE : 2014-6420 Vendor Homepage : http://livefyre.com Software Link : http://web.livefyre.com/streamhub/liveComments Version : v3.0 Author : Brij Kishore Mishra Date : 03-Sept-2014 Tested On : Chrome 37, Ubuntu 14.04 Description : This plugin...

7.4AI score
Exploits0
Rows per page
Query Builder