CVE-2025-36556

A reflected cross-site scripting xss vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-13539 FindAll Membership <= 1.0.4 - Authentication Bypass via Social Login

The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findallmembershipcheckfacebookuser' and the...

EUVD-2021-0960

Malware in sbrugna...

EUVD-2020-30094

Malware in sbrugna...

EUVD-2020-29815

Malware in sbrugna...

EUVD-2023-1950

Malicious code in bioql PyPI...

CVE-2020-8985

ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality...

CVE-2025-4547

A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Add User Page. The manipulation leads to cross site scripting. The attack may be launched remotely...

Withdrawn Advisory: Lunary improper access control vulnerability

Withdrawn Advisory This advisory has been withdrawn because the lunary npm package is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory. The underlying vulnerability report is still valid, but it doesn't affect...

GHSA-6P2Q-8QFQ-WQ7X Withdrawn Advisory: Lunary improper access control vulnerability

Withdrawn Advisory This advisory has been withdrawn because the lunary npm package is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory. The underlying vulnerability report is still valid, but it doesn't affect...

CSRF in all endpoints of /lib/ajax.php by Changing the request method to GET

Description I have found a CSRF in all the request in /lib/ajax.php by changing the request to GET and the page is also get errors. So user cannot use any function on the page Proof of Concept 1. Go to https://demo.froxlor.org/ and login as any user. ie. admin 2. Now open...

Cross site scripting

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete user functionality. When an authenticated user deletes a user having a XSS payload in the user id field, the javascript payload will be executed and allow an attacker to access the user’s...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description livehelperchat is vulnerable to stored XSS in users profile setting where username, password, repeat password, nickname, name, surname, job title fields are vulnerable to stored XSS. Proof of Concept this.constructor.constructor'alert"foo"' Enter the given payload in the above-mention...

CVE-2020-8985

ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality...

GHSA-RF7Q-XQM3-6923 Apache Ranger allows remote authenticated administrators to inject arbitrary web script or HTML

Cross-site scripting XSS vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies...

Circle with Disney Apid Strstr Authentication Bypass Vulnerability(CVE-2017-2914)

Summary An exploitable authentication bypass vulnerability exists in the API daemon of Circle with Disney running firmware 2.0.1. A specially crafted token can bypass the authentication routine of the Apid binary, causing the device to grant unintended administrative access. An attacker needs...

CVE-2016-5395

Cross-site scripting XSS vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies...

Firefox Java update ready to stop BEAST attacks

Firefox Java update ready to stop BEAST attacks Firefox developers searching for a way to protect users against a new attack that decrypts sensitive web traffic are seriously considering an update that stops the open-source browser from working with Oracle's Java software framework. Johnath, the...