CVE-2025-32944

CVE-2025-32944 affects PeerTube where, if user import is enabled, any authenticated user can upload an archive. The vulnerability stems from the yauzl archive reader: when it encounters an illegal filename, it raises an exception that PeerTube does not catch, causing a crash that repeats on start...

Discourse: Admin Command Injection via username in user_archive ExportCsvFile

When a user generates a backup of their posts, their username gets sent to the ExportCsvFile job. The username is placed inside of a gzip command in backticks. Although the application prevents special characters in usernames, an admin is able to make modifications to the database via the restore...

CVE-2008-5845

Multiple cross-site scripting XSS vulnerabilities in Six Apart Movable Type MT before 4.23 allow remote attackers to inject arbitrary web script or HTML via a 1 MTEntryAuthorUsername, 2 MTAuthorDisplayName, 3 MTEntryAuthorDisplayName, or 4 MTCommenterName field in a Profile View template; a 5...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Six Apart Movable Type MT before 4.23 allow remote attackers to inject arbitrary web script or HTML via a 1 MTEntryAuthorUsername, 2 MTAuthorDisplayName, 3 MTEntryAuthorDisplayName, or 4 MTCommenterName field in a Profile View template; a 5...