CVE-2026-35057

XenForo is affected in versions prior to 2.3.10 and prior to 2.2.19. The vulnerability is a stored XSS in structured text mentions, primarily impacting legacy profile post content. An attacker can inject malicious scripts via crafted mentions that are stored and executed when other users view the...

CVE-2026-21451

Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting XSS vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize...

CVE-2026-21447

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order...

CVE-2026-21450

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue...

CVE-2026-21447

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order...

CVE-2026-21450

Bagisto SSTI (server-side template injection) in the type parameter allows remote code execution. Affected versions are prior to 2.3.10; version 2.3.10 contains the fix. Exploitation details cited include an example payload accessing the admin view (type={{7*7}}), which can lead to RCE and other ...

CVE-2026-21450 Bagisto has SSTI in parameter that can lead to RCE

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue...

CVE-2026-21451 Bagisto has HTML Filter Bypass that Enables Stored XSS

Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting XSS vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize tags, the filtering can be bypassed by manipulating the raw HTTP POST...

CVE-2026-21446

Summary (CVE-2026-21446) Bagisto (Laravel-based eCommerce) prior to 2.3.10 exposes installer API endpoints under /install/api/* that remain accessible after installation. The root cause is unauthenticated access to API routes (no auth/CSRF in /install/api/*), enabling an attacker to create admin ...

PT-2026-1125

Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.10 Description Bagisto, an open source Laravel eCommerce platform, has an issue where API routes remain active even after the initial installation is complete. The API endpoints /install/api/ are directly accessib...

CVE-2025-9075 ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns <= 2.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google...

CVE-2025-32143 WordPress Accordion plugin <= 2.3.10 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10...

WordPress plugin BU Slideshow 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress BU Slideshow plugin <= 2.3.10 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by SOPROBRO Patchstack Alliance in WordPress Plugin BU Slideshow versions = 2.3.10...

Malicious code in @gthwebdev/ui-tooltip (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 62aaab200b33789e76005a82f8665eaec345f6c173d63c8fdae72dff0cc2855d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

WordPress plugin IMGspider security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

PT-2024-37540 · WordPress · Imgspider

Name of the Vulnerable Software and Affected Versions: IMGspider plugin for WordPress versions up to, and including, 2.3.10 Description: The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload function. This makes it possible fo...

WordPress plugin Premmerce Permalink Manager for WooCommerce 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

GHSA-RJHX-C9QH-QH8F Cross-site Scripting in Eclipse Mojarra

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces, allows Reflected XSS because a client window field is mishandled...

WordPress All-in-One Addons for ElementorCWidgetKit Plugin Cross-Site Scripting Vulnerability

WordPress Plugin is a WordPress open source application plugin . A cross-site scripting vulnerability exists in WordPress All-in-One Addons for ElementorCWidgetKit Plugin versions prior to 2.3.10. An attacker can exploit this vulnerability to launch a cross-site scripting attack...