Oscar Naveda

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description html field when creating an intake work item through the API v1 intake endpoint.

**Name of the Vulnerable Software and Affected Versions** Camaleon CMS version 2.9.2 **Description** Improper authorization in the administrator draft autosave endpoint allows a low-privileged authenticated user to overwrite a draft associated with another user's post. This is achieved by sending an arbitrary `post id` to the 'POST /admin/post type/<POST TYPE ID>/drafts' endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ERPNext version 16.16.0 **Description** An authenticated user with permissions to edit Item records can inject arbitrary HTML or JavaScript into the `item name`, `description`, or `image` fields of an Item. This leads to unescaped rendering in the Point of Sale (POS) cart interface for any operator who adds the affected item to a transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ERPNext version 16.16.0 **Description** An authenticated user can persist arbitrary HTML or JavaScript within the `email id` or `mobile no` fields of a Customer record. This leads to unescaped rendering in the Point of Sale (POS) interface for any operator who selects the affected customer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mailcow-dockerized version 2026-03b **Description** A stored cross-site scripting issue exists in the administrator Queue Manager. The Queue Manager retrieves mail queue entries from the endpoint '/api/v1/get/mailq/all' and copies server-controlled Postfix queue fields into DataTables rows. Several of these fields are rendered as HTML without adequate output encoding, allowing for the execution of malicious scripts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pimcore version 12.3.3 **Description** An authenticated attacker with permissions to edit document content can store crafted HTML or JavaScript within a Document embed editable. This leads to script execution when the published page is rendered, a process known as Stored Cross-Site Scripting (XSS), where malicious scripts are permanently stored on the target server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pimcore version 12.3.3 **Description** An authenticated administrative user with permissions to import or save DataObject class definitions can inject malicious composite index metadata. This action allows the execution of unintended SQL commands in the backend, leading to a SQL injection, which is a technique where an attacker inserts malicious SQL code into a query to manipulate a database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.