hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.

The wp-editor plugin before 1.2.6.3 for WordPress has multiple XSS issues.

SCEditor 2.1.3 allows XSS.

pandao Editor.md 1.5.0 allows XSS via the Javascript: string.

HexoEditor v1.1.8-beta is affected by: XSS to code execution.

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.

KindEditor through 4.1.11 has a path traversal vulnerability in php/upload_json.php. Anyone can browse a file or directory in the kindeditor/attached/ folder via the path parameter without authentication.

xhEditor 1.2.2 allows XSS via JavaScript code in the SRC attribute of an IFRAME element within the editor's source-code view.

The mintToken function of a smart contract implementation for TravelZedi Token (ZEDI), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

Cross-site scripting (XSS) vulnerability in the Link package for CKEditor 5 before 10.0.1 allows remote attackers to inject arbitrary web script through a crafted href attribute of a link (A) element.