Lucene search
+L

461 matches found

CNNVD
CNNVD
added 2026/05/13 12:0 a.m.12 views

WordPress plugin coreActivity 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...

8.1CVSS6AI score0.00481EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 1:57 p.m.9 views

CVE-2026-43938 YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger YAFNET.Core/Logger/DbLogger.cs captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column...

8.1CVSS5.8AI score0.00282EPSS
Exploits0References1
CVE
CVE
added 2026/05/12 1:57 p.m.20 views

CVE-2026-43938

Summary (supported): CVE-2026-43938 affects YetAnotherForum.NET (YAF.NET) prior to 4.0.5 and 3.2.12. The database logger captures the request’s User-Agent into a JSON object and stores it in EventLog.Description. When an admin views the EventLog, the code deserializes that JSON and interpolates t...

8.1CVSS5.8AI score0.00282EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 1:57 p.m.42 views

CVE-2026-43938 YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger YAFNET.Core/Logger/DbLogger.cs captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column...

8.1CVSS0.00282EPSS
Exploits0References1
OSV
OSV
added 2026/05/12 1:57 p.m.3 views

CVE-2026-43938 YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger YAFNET.Core/Logger/DbLogger.cs captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column...

8.1CVSS5.9AI score0.00282EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.14 views

YAFNET 跨站脚本漏洞

YAFNET is an ASP.NET open-source forum solution developed by YAFNET’s developers. Versions of YAFNET prior to 4.0.5 and 3.2.12 contained a cross-site scripting vulnerability. This vulnerability stemmed from the database logging mechanism serializing user agent headers as JSON without encoding the...

8.1CVSS5.6AI score0.00282EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/06 8:49 p.m.13 views

phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha

Summary BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha at phpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php:298 and :330 interpolate the User-Agent header and client IP address into DELETE and INSERT queries with sprintf and no escaping. Both methods run on every hit to the publi...

9.8CVSS6.1AI score0.01709EPSS
Exploits0References5Affected Software2
OSV
OSV
added 2026/05/06 8:49 p.m.44 views

GHSA-289F-FQ7W-6Q2W phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha

Summary BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha at phpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php:298 and :330 interpolate the User-Agent header and client IP address into DELETE and INSERT queries with sprintf and no escaping. Both methods run on every hit to the publi...

9.8CVSS6.1AI score0.01709EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.13 views

PT-2026-41366

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.2 Description An unauthenticated SQL injection exists in the BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods. The issue occurs when unsanitized User-Agent headers are interpolated into...

9.8CVSS5.8AI score0.01709EPSS
Exploits0References13
Snyk
Snyk
added 2026/05/05 8:31 p.m.12 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the User-Agent header being logged and later rendered in the admin event log interface without proper output encoding. An attacker can execute arbitrary JavaScript in an administrator's browser by submitting...

9.6CVSS5.8AI score0.00282EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/05 8:31 p.m.13 views

YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

Description: Stored second-order Cross-Site Scripting XSS occurs when attacker-controlled input is persisted through one component of an application and later rendered, without proper sanitization or contextual output encoding, by a completely different component — often one that implicitly trust...

8.1CVSS5.9AI score0.00282EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/05 8:31 p.m.65 views

GHSA-33GV-FC78-QGF5 YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

Description: Stored second-order Cross-Site Scripting XSS occurs when attacker-controlled input is persisted through one component of an application and later rendered, without proper sanitization or contextual output encoding, by a completely different component — often one that implicitly trust...

8.1CVSS5.9AI score0.00282EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.6 views

CVE-2026-22675

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

6.1CVSS6AI score0.00218EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/07 12:30 a.m.20 views

EUVD-2026-19484

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

5.4CVSS6.2AI score0.00218EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2026/04/06 10:16 p.m.3 views

CVE-2026-22675

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

6.1CVSS6AI score0.00218EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/06 9:19 p.m.2 views

CVE-2026-22675 OCS Inventory NG Server Stored XSS via User-Agent

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

5.4CVSS6AI score0.00218EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/04/06 9:19 p.m.8 views

CVE-2026-22675

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

6.1CVSS6AI score0.00218EPSS
Exploits0
OSV
OSV
added 2026/04/06 9:19 p.m.4 views

CVE-2026-22675 OCS Inventory NG Server Stored XSS via User-Agent

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

5.1CVSS6.2AI score0.00218EPSS
Exploits0References6
CVE
CVE
added 2026/04/06 9:19 p.m.32 views

CVE-2026-22675

OCS Inventory NG Server (versions up to 2.12.3) is affected by a stored XSS in the User-Agent header submitted to the /ocsinventory endpoint. The issue stems from improper sanitization/encoding when rendering user-supplied User-Agent values in the statistics dashboard, enabling arbitrary JavaScri...

6.1CVSS5.7AI score0.00218EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.12 views

PT-2026-30738

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

5.4CVSS6.2AI score0.00218EPSS
Exploits0References4
Rows per page
Query Builder