PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not

Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call.

Codiad Web IDE through 2.8.4 allows PHP Code injection.

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.

BMC Control-M/Agent 7.0.00.000 has an Insecure File Copy.

Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection.

BMC Control-M/Agent 7.0.00.000 has Insecure Password Storage.

NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.

Gophish before 0.11.0 allows SSRF attacks.

Gophish through 0.10.1 does not invalidate the gophish cookie upon logout.

Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.

The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack

Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.

osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.

osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.

Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.

Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.

Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).

NCP Secure Enterprise Client before 10.15 r47589 allows a symbolic link attack on enumusb.reg via Support Assistant.

Gambio GX before 4.0.1.0 allows XSS in admin/coupon_admin.php.

Gambio GX before 4.0.1.0 allows admin/admin.php CSRF.

Gambio GX before 4.0.1.0 allows SQL Injection in admin/mobile.php.

Gambio GX before 4.0.1.0 allows SQL Injection in admin/gv_mail.php.

BMC Control-M/Agent 7.0.00.000 allows OS Command Injection.

BMC Control-M/Agent 7.0.00.000 allows Arbitrary File Download.

BMC Control-M/Agent 7.0.00.000 allows OS Command Injection (issue 2 of 2).

Cross-site scripting (XSS) vulnerability in mailhive/cloudbeez/cloudloader.php and mailhive/cloudbeez/cloudloader_core.php in the MailBeez plugin for ZenCart before 3.9.22 allows remote attackers to inject arbitrary web script or HTML via the cloudlo

STARFACE UCC Client before 6.7.1.204 on WIndows allows binary planting to execute code with System rights, aka usd-2020-0006.

Dolibarr ERP/CRM before 10.0.3 allows SQL Injection.

Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message m