WordPress HTML5 Video Player - SQL Injection

WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks. id: CVE-2024-1061 info: name: WordPress HTML5 Video Player - SQL Injection author: xxcdd severity: critical description: | WordPress HTM...

WordPress HTML5 Video Player < 2.5.27 - SQL Injection

The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks id: CVE-2024-5522 info: name: WordPress HTML5 Video Player 2.5.27 - SQL Injection...

CVE-2026-49773

Subscriber Cross Site Scripting XSS in FV Flowplayer Video Player 7.5.51.7212 versions...

EUVD-2026-36894

Subscriber Cross Site Scripting XSS in FV Flowplayer Video Player 7.5.51.7212 versions...

PT-2026-49344

Name of the Vulnerable Software and Affected Versions FV Flowplayer Video Player versions prior to 7.5.51.7212 Description Cross Site Scripting XSS is possible for users with the Subscriber role. This issue allows an attacker to inject malicious scripts into web pages viewed by other users...

WordPress FV Flowplayer Video Player plugin <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin FV Flowplayer Video Player versions = 7.5.49.7212...

CVE-2026-46496

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

EUVD-2026-34892

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

CVE-2026-46496

HAX CMS is affected by a stored XSS in the component. Versions prior to 26.0.0 fail to sanitize input in the source/source-data attributes, allowing javascript: URIs that execute attacker-controlled JavaScript in victims’ browsers. This can lead to token exposure (e.g., JWTs) and other sensitive...

CVE-2026-46496 HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

CVE-2026-46496 HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

HAXCMS 安全漏洞

HAXCMS is an open-source content management system developed by HAX The Web. Versions of HAXCMS prior to 26.0.0 contained security vulnerabilities. These vulnerabilities stemmed from improper cleaning of the video-player component, which could allow attackers to execute arbitrary JavaScript in th...

WordPress FV Flowplayer Video Player plugin < 7.5.51.7212 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Jakub Herman in WordPress Plugin FV Flowplayer Video Player versions 7.5.51.7212...

Cross-site Scripting (XSS)

Overview @haxtheweb/video-player is an Automated conversion of video-player/ Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the...

Cross-site Scripting (XSS)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting XSS via the video-player component's source and source-data attributes. An attacker can execute arbitrary JavaScript in the victim's browser and access sensitive...

Cross-site Scripting (XSS)

Overview @haxtheweb/video-player is an Automated conversion of video-player/ Affected versions of this package are vulnerable to Cross-site Scripting XSS via the video-player component's source and source-data attributes. An attacker can execute arbitrary JavaScript in the victim's browser and...

HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context...

GHSA-2M6P-HM3W-6JM3 HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context...

PT-2026-41978

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0 Description A stored cross-site scripting XSS issue exists due to improper sanitization of the component. The application fails to validate user-supplied input in the source and source-data attributes, allowing...

CVE-2019-25689

HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigge...