Export limit exceeded: 337599 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44176 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11950 | 2 Eduasist, Knowhy Advanced Technology Trading | 2 Eduasist, Eduasist | 2026-03-09 | 6.3 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. EduAsist allows Reflected XSS.This issue affects EduAsist: before v2.1. | ||||
| CVE-2024-35644 | 2 Pascal Birchler, Wordpress | 2 Preferred Languages, Wordpress | 2026-03-09 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allows DOM-Based XSS.This issue affects Preferred Languages: from n/a through 2.2.2. | ||||
| CVE-2026-2721 | 2 Pierrelannoy, Wordpress | 2 Mailarchiver, Wordpress | 2026-03-09 | 4.8 Medium |
| The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-2722 | 2 Urkekg, Wordpress | 2 Stock Ticker, Wordpress | 2026-03-09 | 4.8 Medium |
| The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.26.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-2736 | 1 Alkacon | 1 Opencms | 2026-03-09 | 6.1 Medium |
| Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions while impersonating the user. | ||||
| CVE-2026-0540 | 1 Cure53 | 1 Dompurify | 2026-03-08 | 6.1 Medium |
| DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts. | ||||
| CVE-2025-14801 | 1 Xiweicheng | 2 Teamwork Management System, Tms | 2026-03-08 | 2.4 Low |
| A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-26276 | 1 Gogs | 1 Gogs | 2026-03-07 | 7.3 High |
| Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2. | ||||
| CVE-2025-61645 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-03-06 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1. | ||||
| CVE-2026-27354 | 2 Webcodingplace, Wordpress | 2 Woocommerce Coming Soon Product With Countdown, Wordpress | 2026-03-06 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows Stored XSS.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through <= 5.0. | ||||
| CVE-2026-27352 | 2 Themegoods, Wordpress | 2 Starto, Wordpress | 2026-03-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Starto starto allows Reflected XSS.This issue affects Starto: from n/a through <= 2.1.9. | ||||
| CVE-2021-47870 | 2 Get-simple, Getsimple-ce | 2 Getsimplecms, Getsimple Cms | 2026-03-06 | 5.4 Medium |
| GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page. | ||||
| CVE-2023-4145 | 1 Pimcore | 2 Customer-data-framework, Customer Management Framework | 2026-03-06 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2. | ||||
| CVE-2023-41655 | 1 Heiglandreas | 1 Authldap | 2026-03-06 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Andreas Heigl authLdap plugin <= 2.5.9 versions. | ||||
| CVE-2026-27385 | 2 Designthemes, Wordpress | 2 Designthemes Portfolio, Wordpress | 2026-03-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio designthemes-portfolio allows Reflected XSS.This issue affects DesignThemes Portfolio: from n/a through <= 1.3. | ||||
| CVE-2026-27376 | 2 Janstudio, Wordpress | 2 Claue - Clean, Minimal Elementor Woocommerce Theme, Wordpress | 2026-03-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JanStudio Claue - Clean, Minimal Elementor WooCommerce Theme claue allows Reflected XSS.This issue affects Claue - Clean, Minimal Elementor WooCommerce Theme: from n/a through <= 2.2.7. | ||||
| CVE-2026-27367 | 2 Themegoods, Wordpress | 2 Musico, Wordpress | 2026-03-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Musico musico allows Reflected XSS.This issue affects Musico: from n/a through <= 3.2.4. | ||||
| CVE-2026-27359 | 2 Fox-themes, Wordpress | 2 Awa Plugins, Wordpress | 2026-03-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Awa Plugins awa-plugins allows Reflected XSS.This issue affects Awa Plugins: from n/a through <= 1.4.4. | ||||
| CVE-2026-26195 | 1 Gogs | 1 Gogs | 2026-03-06 | 6.1 Medium |
| Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2. | ||||
| CVE-2026-28509 | 1 Langbot | 1 Langbot | 2026-03-06 | 6.3 Medium |
| LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting (XSS) vulnerability. This issue has been patched in version 4.8.7. | ||||