Status2k does not remove the install directory allowing credential reset.

Status2k allows Remote Command Execution in admin/options/editpl.php.

The ultimate-weather plugin 1.0 for WordPress has XSS

The Etherpad Lite ep_imageconvert Plugin has a Remote Command Injection Vulnerability

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

SpagoBI before 4.1 has Privilege Escalation via an error in the AdapterHTTP script

Pretty-Link WordPress plugin 1.5.2 has XSS

sphider prior to 1.3.6, sphider-pro prior to 3.2, and sphider-plus prior to 3.2 allow authentication bypass

Déjà Vu Crescendo Sales CRM has remote SQL Injection

LPAR2RRD ≤ 4.53 and ≤ 3.5 has arbitrary command injection on the application server.

flog plugin 0.1 for WordPress has XSS

DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.

DOMPDF before 0.6.2 allows denial of service.

DOMPDF before 0.6.2 allows Information Disclosure.

A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) 3.1.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG document to elogd.c.

A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) 3.1.4 allows remote attackers to inject arbitrary web script or HTML via the value parameter in a localization (loc) command to elogd.c.

A cross-site scripting (XSS) vulnerability in Option/optionsAll.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows remote attackers to inject arbitrary web script or HTML via the ContentFrame parameter.

contentHostProperties.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows authenticated attackers to remotely execute code via the name parameter.

languageOptions.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows unauthenticated attackers to remotely execute code via the lang parameter.

A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. The XSS vulnerability is then triggered due to improper HTML sanitization. Given that the application is based on the Electron framework, the XSS leads to remote code execution in an unsandboxed environment.