CVEs from 2026
Total
14,786
critical
critical 1,335
high
high 5,004
medium
medium 4,828
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-30895 | medium | 6.1 | 6.1 | 11d ago | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | |||
| CVE-2026-47070 | medium | 6.1 | 6.1 | 12d ago | HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney | |||
| CVE-2026-45249 | medium | 6.1 | 6.1 | 12d ago | A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0,… | |||
| CVE-2026-36226 | medium | 6.1 | 6.1 | 15d ago | Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User compone… | |||
| CVE-2026-42506 | medium | 6.1 | 6.1 | 15d ago | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML befo… | |||
| CVE-2026-42502 | medium | 6.1 | 6.1 | 15d ago | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML befo… | |||
| CVE-2026-27136 | medium | 6.1 | 6.1 | 15d ago | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML befo… | |||
| CVE-2026-25681 | medium | 6.1 | 6.1 | 15d ago | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML befo… | |||
| CVE-2026-6864 | medium | 6.1 | 6.1 | 16d ago | The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sani… | |||
| CVE-2026-3481 | medium | 6.1 | 6.1 | 16d ago | The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input saniti… | |||
| CVE-2026-6841 | medium | 6.1 | 6.1 | 16d ago | Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary Jav… | |||
| CVE-2026-22880 | medium | 6.1 | 6.1 | 16d ago | Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Ma… | |||
| CVE-2026-47099 | medium | 6.1 | 6.1 | 17d ago | TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` | |||
| CVE-2026-26028 | medium | 6.1 | 6.1 | 17d ago | CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS | |||
| CVE-2026-30691 | medium | 6.1 | 6.1 | 17d ago | Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanit… | |||
| CVE-2026-5776 | medium | 6.1 | 6.1 | 18d ago | The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks | |||
| CVE-2026-8627 | medium | 6.1 | 6.1 | 18d ago | The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_pa… | |||
| CVE-2026-8626 | medium | 6.1 | 6.1 | 18d ago | The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output… | |||
| CVE-2026-8624 | medium | 6.1 | 6.1 | 18d ago | The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input san… | |||
| CVE-2026-8420 | medium | 6.1 | 6.1 | 18d ago | The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a func… | |||
| CVE-2026-7462 | medium | 6.1 | 6.1 | 18d ago | The VatanSMS WP SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.01. This is due to insufficient input sanitiz… | |||
| CVE-2026-6395 | medium | 6.1 | 6.1 | 18d ago | The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of n… | |||
| CVE-2026-6391 | medium | 6.1 | 6.1 | 18d ago | The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect no… | |||
| CVE-2026-6871 | medium | 6.1 | 6.1 | 18d ago | This module enables you to obfuscate email addresses in content. The module doesn't sufficiently sanitize user input via the Twig filter. This vulnerability is mitigated by the fact that it only af… | |||
| CVE-2026-6367 | medium | 6.1 | 6.1 | 18d ago | Drupal core allows Cross-Site Scripting (XSS) | |||
| CVE-2026-6365 | medium | 6.1 | 6.1 | 18d ago | Drupal core is Vulnerable to Cross-Site Scripting | |||
| CVE-2026-6095 | medium | 6.1 | 6.1 | 18d ago | The IframeConsent element writes HTML attributes without escaping their value. This module has a XSS vulnerability. If an attacker is able to write an `<iframe-consent>` tag, they may be able to ins… | |||
| CVE-2026-5090 | medium | 6.1 | 6.1 | 18d ago | Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could… | |||
| CVE-2026-31906 | medium | 6.1 | 6.1 | 18d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrad… | |||
| CVE-2026-31379 | medium | 6.1 | 6.1 | 18d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of… | |||
| CVE-2026-34000 | medium | 6.1 | 6.1 | 19d ago | A flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an at… | |||
| CVE-2026-45243 | medium | 6.1 | 6.1 | 19d ago | Summarize contains a missing authorization vulnerability | |||
| CVE-2026-45231 | medium | 6.1 | 6.1 | 19d ago | DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side san… | |||
| CVE-2026-29965 | medium | 6.1 | 6.1 | 19d ago | HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscate… | |||
| CVE-2026-29964 | medium | 6.1 | 6.1 | 19d ago | HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaS… | |||
| CVE-2026-8656 | medium | 6.1 | 6.1 | 22d ago | Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an appli… | |||
| CVE-2026-44366 | medium | 6.1 | 6.1 | 22d ago | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS com… | |||
| CVE-2026-45314 | medium | 6.1 | 6.1 | 23d ago | Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image | |||
| CVE-2026-44898 | medium | 6.1 | 6.1 | 23d ago | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used a… | |||
| CVE-2026-41932 | medium | 6.1 | 6.1 | 23d ago | Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name fiel… | |||
| CVE-2026-24710 | medium | 6.1 | 6.1 | 23d ago | Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS. | |||
| CVE-2026-21730 | medium | 6.1 | 6.1 | 23d ago | Verba is affected by a Stored Cross-Site Scripting (XSS) vulnerability within its login logging mechanism. When an unauthenticated remote attacker attempts to log in using an incorrect username and p… | |||
| CVE-2026-43644 | medium | 6.1 | 6.1 | 23d ago | podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without … | |||
| CVE-2026-6417 | medium | 6.1 | 6.1 | 24d ago | The GLS Shipping for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failed_orders' parameter in all versions up to, and including, 1.4.0 due to insufficient… | |||
| CVE-2026-44437 | medium | 6.1 | 6.1 | 24d ago | The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix he… | |||
| CVE-2026-44372 | medium | 6.1 | 6.1 | 24d ago | Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after… | |||
| CVE-2026-8496 | medium | 6.1 | 6.1 | 24d ago | A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated S… | |||
| CVE-2026-41255 | medium | 6.1 | 6.1 | 24d ago | CKAN has CSRF exemption primed by anonymous requests | |||
| CVE-2026-44580 | medium | 6.1 | 6.1 | 24d ago | Next.js has cross-site scripting in beforeInteractive scripts with untrusted input | |||
| CVE-2026-45028 | medium | 6.1 | 6.1 | 24d ago | Astro: Server island encrypted parameters vulnerable to cross-component replay | |||
| CVE-2026-44665 | medium | 6.1 | 6.1 | 24d ago | fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes | |||
| CVE-2026-44664 | medium | 6.1 | 6.1 | 24d ago | fast-xml-builder Comment Value regex can be bypassed | |||
| CVE-2026-44455 | medium | 6.1 | 6.1 | 24d ago | hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection | |||
| CVE-2026-44245 | medium | 6.1 | 6.1 | 25d ago | Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component | |||
| CVE-2026-42338 | medium | 6.1 | 6.1 | 25d ago | ip-address has XSS in Address6 HTML-emitting methods | |||
| CVE-2026-20771 | medium | 6.1 | 6.1 | 25d ago | Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an… | |||
| CVE-2026-33862 | medium | 6.1 | 6.1 | 25d ago | A vulnerability has been identified in Teamcenter V2312 (All versions < V2312.0014), Teamcenter V2406 (All versions < V2406.0012), Teamcenter V2412 (All versions < V2412.0009), Teamcenter V2506 (All … | |||
| CVE-2026-7561 | medium | 6.1 | 6.1 | 25d ago | The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a fu… | |||
| CVE-2026-7464 | medium | 6.1 | 6.1 | 25d ago | The WP Google Maps Integration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.2. This is due to insufficient inp… | |||
| CVE-2026-7437 | medium | 6.1 | 6.1 | 25d ago | The AzonPost plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `editpos_hidden` parameter in all versions up to, and including, 1.3. This is due to insufficient input sanit… | |||
| CVE-2026-6808 | medium | 6.1 | 6.1 | 25d ago | The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0. This is due to insufficient input … | |||
| CVE-2026-1681 | medium | 6.1 | 6.1 | 26d ago | Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the d… | |||
| CVE-2026-40137 | medium | 6.1 | 6.1 | 26d ago | SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially e… | |||
| CVE-2026-27682 | medium | 6.1 | 6.1 | 26d ago | Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that … | |||
| CVE-2026-42554 | medium | 6.1 | 6.1 | 26d ago | Fiber vulnerable to XSS in AutoFormat Content Negotiation | |||
| CVE-2026-42872 | medium | 6.1 | 6.1 | 26d ago | WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a reflected Cross-Site Scripting (XSS) vulnerability exists in lista_arquivos_etapa.php due to improper handling of use… | |||
| CVE-2026-45222 | medium | 6.1 | 6.1 | 26d ago | @steipete/summarize allows local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json | |||
| CVE-2026-34095 | medium | 6.1 | 6.1 | 26d ago | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php. This issue affects … | |||
| CVE-2026-36906 | medium | 6.1 | 6.1 | 26d ago | Cross Site Scripting vulnerability in iotgateway v.3.0.1 allows a remote attacker to execute arbitrary code via the Log Record Function | |||
| CVE-2026-6735 | medium | 6.1 | 6.1 | 28d ago | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause t… | |||
| CVE-2026-42030 | medium | 6.1 | 6.1 | 29d ago | MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker t… | |||
| CVE-2026-42794 | medium | 6.1 | 6.1 | 29d ago | absinthe_plug Has a Cross-site Scripting vulnerability | |||
| CVE-2026-41575 | medium | 6.1 | 6.1 | 29d ago | In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was direc… | |||
| CVE-2026-40295 | medium | 6.1 | 6.1 | 1mo ago | Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler | |||
| CVE-2026-8106 | medium | 6.1 | 6.1 | 1mo ago | A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/… | |||
| CVE-2026-41929 | medium | 6.1 | 6.1 | 1mo ago | Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulati… | |||
| CVE-2026-39826 | medium | 6.1 | 6.1 | 1mo ago | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape a… | |||
| CVE-2026-39823 | medium | 6.1 | 6.1 | 1mo ago | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune ins… | |||
| CVE-2026-44742 | medium | 6.1 | 6.1 | 1mo ago | Postorius is vulnerable to XSS | |||
| CVE-2026-41650 | medium | 6.1 | 6.1 | 1mo ago | fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters | |||
| CVE-2026-7953 | medium | 6.1 | 6.1 | 1mo ago | Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chro… | |||
| CVE-2026-42509 | medium | 6.1 | 6.1 | 1mo ago | Apache Wicket has a Cross-site Scripting issue | |||
| CVE-2026-35254 | medium | 6.1 | 6.1 | 1mo ago | Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with netw… | |||
| CVE-2026-38947 | medium | 6.1 | 6.1 | 1mo ago | FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin. | |||
| CVE-2026-42207 | medium | 6.1 | 6.1 | 1mo ago | Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` | |||
| CVE-2026-43878 | medium | 6.1 | 6.1 | 1mo ago | Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal | |||
| CVE-2026-38432 | medium | 6.1 | 6.1 | 1mo ago | ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript co… | |||
| CVE-2026-34002 | medium | 6.1 | 6.1 | 1mo ago | A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit … | |||
| CVE-2026-6704 | medium | 6.1 | 6.1 | 1mo ago | The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitizati… | |||
| CVE-2026-6702 | medium | 6.1 | 6.1 | 1mo ago | The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admi… | |||
| CVE-2026-6696 | medium | 6.1 | 6.1 | 1mo ago | The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page in… | |||
| CVE-2026-42230 | medium | 6.1 | 6.1 | 1mo ago | n8n has Open Redirect in MCP OAuth Consent Flow | |||
| CVE-2026-42144 | medium | 6.1 | 6.1 | 1mo ago | CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside _load_pnm() that can bypass the memory all… | |||
| CVE-2026-42138 | medium | 6.1 | 6.1 | 1mo ago | Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/fi… | |||
| CVE-2026-38669 | medium | 6.1 | 6.1 | 1mo ago | wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog. | |||
| CVE-2026-7371 | medium | 6.1 | 6.1 | 1mo ago | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an ar… | |||
| CVE-2026-42366 | medium | 6.1 | 6.1 | 1mo ago | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an ar… | |||
| CVE-2026-36763 | medium | 6.1 | 6.1 | 1mo ago | A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted… | |||
| CVE-2026-36761 | medium | 6.1 | 6.1 | 1mo ago | A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into th… | |||
| CVE-2026-38940 | medium | 6.1 | 6.1 | 1mo ago | Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component |