Critical · CVSS 9.8
webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in deleteapprovalstages.php.
Published Dec 2, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameters apmode_dns1_pri and apmode_dns1_sec.
Published Nov 22, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component IS_GETCACHE.
Published Nov 10, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION.
Published Nov 10, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component UPFILE_PIC_ZOOM_HIGHT.
Published Nov 10, 2022 · Updated Jul 9, 2026
High · CVSS 8.8
A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.
Published Oct 27, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
Shopwind v3.4.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the component /common/library/Page.php.
Published Nov 9, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.5
Supermicro X11SSL-CF HW Rev 1.01, BMC firmware v1.63 was discovered to contain insecure permissions.
Published Apr 7, 2023 · Updated Jul 9, 2026
Medium · CVSS 5.4
Password Storage Application v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Setup page.
Published Oct 27, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Multiple stored cross-site scripting (XSS) vulnerabilities in Train Scheduler App v1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Train Code, Train Name, and Destination text fields.
Published Oct 27, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
A stored cross-site scripting (XSS) vulnerability in Simple Online Public Access Catalog v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Account Full Name field.
Published Oct 27, 2022 · Updated Jul 9, 2026
Critical · CVSS 9
ERP Sankhya before v4.11b81 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Caixa de Entrada.
Published Nov 22, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
QlikView 12.60.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the QvsViewClient functionality.
Published Mar 6, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization.
Published Jul 5, 2023 · Updated Jul 9, 2026
Medium · CVSS 5.9
The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
Published Nov 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 4.8
Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3.
Published Nov 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 4.3
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.
Published Nov 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 4.3
An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.
Published Nov 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.3
The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.
Published Nov 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.3
The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.
Published Nov 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 4.3
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.
Published Nov 15, 2022 · Updated Jul 9, 2026
High · CVSS 7.5
Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.
Published Nov 15, 2022 · Updated Jul 9, 2026
High · CVSS 7.5
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype.
Published Nov 15, 2022 · Updated Jul 9, 2026
High · CVSS 7.5
A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.
Published Nov 15, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.
Published Nov 15, 2022 · Updated Jul 9, 2026
High · CVSS 8.8
A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.
Published Nov 15, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.
Published Nov 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8.
Published Nov 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.
Published Nov 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML.
Published Oct 18, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.
Published Oct 18, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field's `Label` text field.
Published Oct 18, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML.
Published Oct 18, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter.
Published Oct 18, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload.
Published Oct 18, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
devhub 0.102.0 was discovered to contain a broken session control.
Published Oct 17, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
Multiple cross-site scripting (XSS) vulnerabilities in ReQlogic v11.3 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the POBatch and WaitDuration parameters.
Published Jan 20, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
Acer Altos W2000h-W570h F4 R01.03.0018 was discovered to contain a stack overflow in the RevserveMem component. This vulnerability allows attackers to cause a Denial of Service (DoS) via injecting crafted shellcode into the NVRAM variable.
Published Oct 19, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.
Published Mar 27, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.1
ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Server-side request forgery (SSRF) via rotateimg.php.
Published Nov 22, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
A cross-site scripting (XSS) vulnerability in NdkAdvancedCustomizationFields v3.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payloads injected into the "htmlNodes" parameter.
Published Dec 21, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Cross Site Scripting (XSS) via createPdf.php.
Published Nov 2, 2022 · Updated Jul 9, 2026
High · CVSS 7.5
A SQL injection vulnerability in the height and width parameter in NdkAdvancedCustomizationFields v3.5.0 allows unauthenticated attackers to exfiltrate database data.
Published Nov 1, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.5
ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF).
Published Oct 31, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload.
Published Oct 31, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the setTooltips() function.
Published Oct 11, 2022 · Updated Jul 9, 2026
Medium · CVSS 4.8
Employee Performance Evaluation System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via adding new entries under the Departments and Designations module.
Published Dec 19, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page.
Published Dec 19, 2022 · Updated Jul 9, 2026
High · CVSS 8.8
mojoPortal v2.7 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PNG file.
Published Sep 30, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
mojoPortal v2.7 was discovered to contain a path traversal vulnerability via the "f" parameter at /DesignTools/CssEditor.aspx. This vulnerability allows authenticated attackers to read arbitrary files in the system.
Published Oct 3, 2022 · Updated Jul 9, 2026