CVE-2026-7850

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks...

SUSE-SU-2026:21200-1 Security update for go1.25

This update for go1.25 fixes the following issues: Update to go1.25.8 bsc1244485: - CVE-2026-25679: net/url: reject IPv6 literal not at start of host bsc1259264. - CVE-2026-27139: os: FileInfo can escape from a Root bsc1259268. - CVE-2026-27142: html/template: URLs in meta content attribute actio...

CLSA-2026-1775688811 Fix CVE(s): CVE-2026-32748, CVE-2026-33526

SECURITY UPDATE: denial of service via use-after-free in ICP - debian/patches/CVE-2026-33526.patch: remove duplicate rfc1738escape call in icpGetRequest that invalidated the previously escaped URL pointer - CVE-2026-33526 SECURITY UPDATE: denial of service via use-after-free in ICP request handli...

Amazon Linux 2023 : golist (ALAS2023-2026-1513)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1513 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or...

Jenkins Applitools Eyes Plugin vulnerable to XSS through its Build page

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that contain HTML...

CVE-2024-9219

The WordPress Social Share Buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.19. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-2635

The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary...

CVE-2024-11324 Accounting for WooCommerce <= 1.6.6 - Reflected Cross-Site Scripting

The Accounting for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

CVE-2024-11360

CVE-2024-11360 → WordPress Page Parts plugin

WordPress plugin Fat Rat Collect 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

WPCode < 2.0.13.1 - Reflected XSS

Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting PoC Make a logged in admin open https://example.com/wp-admin/admin.php?page=wpcode"=2...

CVE-2021-24616

The AddToAny Share Buttons WordPress plugin before 1.7.48 does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2020-1949

Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks...

CVE-2019-10771

CVE-2019-10771 affects the iobroker.web (Node.js/Express) web server. The vulnerability stems from the GET URL path not escaping characters, allowing reflected XSS in the server’s response. Affected versions are prior to 2.4.10. Remediation: upgrade to version 2.4.10 or later. In the provided doc...

UBUNTU-CVE-2018-19787

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to...

SquidClamav: Denial of service

Background SquidClamav is a HTTP anti-virus for Squid based on ClamAV and ICAP. Description SquidClamav does not properly escape URLs before passing them to the system command call. Impact A remote attacker could send a specially crafted URL to SquidClamav, possibly resulting in a Denial of Servi...

Apache &lt; 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow

!/bin/sh Exploit for Apache modrewrite off-by-one. Vulnerability discovered by Mark Dowd. CVE-2006-3747 by jack 2006-08-20 Thx to xuso for help me with the shellcode. I suppose that you've the "RewriteRule kung/. $1" rule if not you must recalculate adressess. Shellcode is based on Taeho Oh...