CVE-2025-14340

Cross-site scripting in REST Management Interface in Payara Server 4.1.2.191.54, 5.83.0, 6.34.0, 7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload...

PT-2026-20388

Name of the Vulnerable Software and Affected Versions Payara Server versions prior to 4.1.2.191.54 Payara Server versions prior to 5.83.0 Payara Server versions prior to 6.34.0 Payara Server versions prior to 7.2026.1 Description A cross-site scripting issue exists in the REST Management Interfac...

EUVD-2025-201879

@tiptap/extension-link vulnerable to Cross-site Scripting XSS...

CVE-2025-56313

A Reflected Cross-Site Scripting XSS vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 inclusive. This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an...

EUVD-2021-14719

Malware in sbrugna...

EUVD-2023-1876

Malicious code in bioql PyPI...

CVE-2025-48053 Discourse vulnerable to DoS via large URL payload in PM to a bot

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instance...

CVE-2025-48053 Discourse vulnerable to DoS via large URL payload in PM to a bot

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instance...

CVE-2023-22722

GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the...

GHSA-HRMC-JMP7-MPM2 H2O.ai H2O vulnerable to deserialization attacks via a JDBC Connection URL

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...

PT-2024-24232 · Unknown · Lavalite Cms

Name of the Vulnerable Software and Affected Versions: Lavalite CMS version 10.1.0 Description: The issue allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. This is a Cross Site Scripting vulnerability. Recommendations: For Lavalite CMS...

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Summary When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transformed output by supplying a...

CVE-2023-49293 Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transforme...

Cross-site Scripting (XSS) - Stored in admidio/admidio

Description When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. If an administrator adds a menu, normal users can click it too. Proof of...

Plution - Prototype Pollution Scanner Using Headless Chrome

Plution is a convenient way to scan at scale for pages that are vulnerable to client side prototype pollution via a URL payload. In the default configuration, it will use a hardcoded payload that can detect 11 of the cases documented here:...

CVE-2021-28002

A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the 'Articles' page...

CVE-2018-1000556

WordPress version 4.8 + contains a Cross Site Scripting XSS vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacke...

CVE-2018-1000556

WordPress version 4.8 + contains a Cross Site Scripting XSS vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacke...

Cross site scripting

WordPress version 4.8 + contains a Cross Site Scripting XSS vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacke...