Actual Sync Server has an Authenticated Path Traversal

Description Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments ../ can escape the intended directory and write files outsid...

EUVD-2026-1681

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancelorder.php endpoint...

CVE-2025-51626

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancelorder.php endpoint...

pss.sale.com 安全漏洞

pss.sale.com is a merchandising system by the individual developer XiaoLiuChu in China. A security vulnerability exists in version 1.0 of pss.sale.com, which stems from an incorrect manipulation of the parameter id in the endpoint userfiles/php/cancelorder.php, which could lead to a SQL injection...

CVE-2025-51626

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancelorder.php endpoint...

CVE-2024-58280 CMSimple 5.15 Remote Command Execution via Extensions Configuration

CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensionsuserfiles and upload a shell script to the media directory to execute arbitrary code on the server...

Cross-site Scripting (XSS)

microweber/microweber is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input sanitization in userfiles\modules\settings\admin.php by which an admin authenticated attacker can inject malicious scripts by submitting crafted input to the group field...

Microweber Cross Site Scripting (XSS) vulnerability

Microweber 2.0.16 was discovered to contain a Cross Site Scripting XSS vulnerability via userfiles\modules\settings\admin.php...

GHSA-HF66-XFGJ-42G8 Microweber Cross Site Scripting (XSS) vulnerability

Microweber 2.0.16 was discovered to contain a Cross Site Scripting XSS vulnerability via userfiles\modules\tags\addtaggingtagged.php...

CVE-2024-41381

microweber 2.0.16 was discovered to contain a Cross Site Scripting XSS vulnerability via userfiles\modules\settings\admin.php...

CVE-2024-41380

microweber 2.0.16 was discovered to contain a Cross Site Scripting XSS vulnerability via userfiles\modules\tags\addtaggingtagged.php...

CVE-2024-41381

microweber 2.0.16 was discovered to contain a Cross Site Scripting XSS vulnerability via userfiles\modules\settings\admin.php...

CVE-2024-41381

CVE-2024-41381 affects microweber 2.0.16. The vulnerability is a Cross-Site Scripting (XSS) in the file userfiles/modules/settings/admin.php, arising from insufficient input filtering/escaping. Evidence across multiple sources (NVD/Red Hat/CNVD/Veracode/GHSA/OSV) describes an XSS risk targeting a...

CVE-2024-41381

microweber 2.0.16 was discovered to contain a Cross Site Scripting XSS vulnerability via userfiles\modules\settings\admin.php...

CVE-2024-41380

Microweber 2.0.16 contains a Cross Site Scripting (XSS) vulnerability in the file path userfiles/modules/tags/add_tagging_tagged.php, caused by insufficient input validation/escaping of user-supplied data. Affected component: add_tagging_tagged.php within the tags module. Impact is described as X...

CVE-2024-41380

microweber 2.0.16 was discovered to contain a Cross Site Scripting XSS vulnerability via userfiles\modules\tags\addtaggingtagged.php...

GHSA-PMXG-W9C7-FFMQ Microweber Discloses Sensitive Information

userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request...

Abusing Backup/Restore feature to achieve Remote Code Execution

Description Admin can use Backup modules to upload a malicious PHP file, which can lead to RCE. Proof of Concept + Log in as admin, navigate to Modules - Backup: https://demo.microweber.org/demo/admin/view:modules/loadmodule:adminbackup + Prepare a malicious PHP file, in this case info2.php +...

Design/Logic Flaw

CMSimple 4.7.5 has XSS via an admin's upload of an SVG file at a ?userfiles&subdir=userfiles/images/flags/ URI...

thesphere.ch XSS vulnerability

Open Bug Bounty ID: OBB-636864 Description| Value ---|--- Affected Website:| thesphere.ch Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...