Total
42314 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-27990 | 1 Zyxel | 38 Atp100, Atp100 Firmware, Atp100w and 35 more | 2026-02-25 | 4.8 Medium |
| The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device. | ||||
| CVE-2026-27645 | 2 Dgtlmoon, Webtechnologies | 2 Changedetection.io, Changedetection | 2026-02-25 | 6.1 Medium |
| changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue. | ||||
| CVE-2023-6333 | 1 Controlbyweb | 6 X-301-24i, X-301-24i Firmware, X-301-i and 3 more | 2026-02-25 | 7.5 High |
| The affected ControlByWeb Relay products are vulnerable to a stored cross-site scripting vulnerability, which could allow an attacker to inject arbitrary scripts into the endpoint of a web interface that could run malicious javascript code during a user's session. | ||||
| CVE-2025-46320 | 1 Claris | 1 Filemaker Server | 2026-02-25 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. | ||||
| CVE-2023-49088 | 1 Cacti | 1 Cacti | 2026-02-25 | 6.1 Medium |
| Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: `General Administration>Sites/Devices/Data`. The victim of this attack could be any account with permissions to view `http://<HOST>/cacti/data_debug.php`. As of time of publication, no complete fix has been included in Cacti. | ||||
| CVE-2022-4554 | 1 Idyazilim | 1 B2b Dealer Order System | 2026-02-25 | 5.4 Medium |
| B2B Customer Ordering System developed by ID Software Project and Consultancy Services before version 1.0.0.347 has an authenticated Reflected XSS vulnerability. This has been fixed in the version 1.0.0.347. | ||||
| CVE-2022-38106 | 1 Solarwinds | 1 Serv-u | 2026-02-25 | 5.4 Medium |
| This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. | ||||
| CVE-2022-35226 | 1 Sap | 1 Data Services | 2026-02-25 | 6.1 Medium |
| SAP Data Services Management allows an attacker to copy the data from a request and echoed into the application's immediate response, it will lead to a Cross-Site Scripting vulnerability. The attacker would have to log in to the management console to perform such as an attack, only few of the pages are vulnerable in the DS management console. | ||||
| CVE-2026-3043 | 2 Admerc, Itsourcecode | 2 Event Management System, Event Management System | 2026-02-25 | 4.3 Medium |
| A flaw has been found in itsourcecode Event Management System 1.0. The impacted element is an unknown function of the file /admin/navbar.php. Executing a manipulation of the argument page can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used. | ||||
| CVE-2026-3041 | 1 Xingfuggz | 1 Baykeshop | 2026-02-25 | 2.4 Low |
| A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-21483 | 1 Nadh | 1 Listmonk | 2026-02-25 | 5.4 Medium |
| listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue. | ||||
| CVE-2026-3027 | 1 Jeewms | 1 Jeewms | 2026-02-25 | 4.3 Medium |
| A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-2972 | 1 A466350665 | 1 Smart-sso | 2026-02-25 | 2.4 Low |
| A vulnerability was determined in a466350665 Smart-SSO up to 2.1.1. This affects the function Save of the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java of the component Role Edit Page. Executing a manipulation can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-2971 | 1 A466350665 | 1 Smart-sso | 2026-02-25 | 4.3 Medium |
| A vulnerability was found in a466350665 Smart-SSO up to 2.1.1. Affected by this issue is some unknown functionality of the file smart-sso-server/src/main/resources/templates/login.html of the component Login. Performing a manipulation of the argument redirectUri results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-30754 | 1 Wpfoxly | 1 Adfoxly | 2026-02-25 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in AdFoxly AdFoxly – Ad Manager, AdSense Ads & Ads.Txt plugin <= 1.8.5 versions. | ||||
| CVE-2026-24045 | 1 Docmost | 1 Docmost | 2026-02-25 | 7.3 High |
| Docmost is open-source collaborative wiki and documentation software. From g and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0. | ||||
| CVE-2015-9354 | 1 Tri | 1 Gigpress | 2026-02-25 | 4.8 Medium |
| The gigpress plugin before 2.3.11 for WordPress has XSS. | ||||
| CVE-2026-23858 | 1 Dell | 1 Wyse Management Suite | 2026-02-25 | 5.4 Medium |
| Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Script Injection. | ||||
| CVE-2026-25642 | 1 Hedgedoc | 1 Hedgedoc | 2026-02-25 | 4.3 Medium |
| HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6. | ||||
| CVE-2024-22128 | 2 Sap, Sap Se | 2 Netweaver Business Client For Html, Sap Netweaver Business Client For Html | 2026-02-25 | 4.7 Medium |
| SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation. | ||||