PT-2026-32521

Name of the Vulnerable Software and Affected Versions Vtiger CRM version 8.4.0 Description An HTML Injection issue exists in the Dashboard module. The application fails to properly neutralize user-supplied input in the tabid parameter of the 'DashBoardTab' view 'getTabContents' action, allowing a...

SuiteCRM 跨站脚本漏洞

SuiteCRM is a customer relationship management system developed by the SuiteCRM team. Version 7.15.0 of SuiteCRM contains a cross-site scripting vulnerability. This vulnerability stems from a reflection-type HTML injection in the login page, which allows attackers to inject arbitrary HTML content...

EUVD-2025-208745

Cross Site scripting vulnerability XSS in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts...

CVE-2017-20219

Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the firstname and lastname inputs when processed by editUser.tpl.php. An attacker can inject arbitrary HTML content by submitting crafted input, which is rendered when other users view the affected profile,...

CVE-2025-12062

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fcloadtemplate function. This makes it possible for authenticated attackers, with Subscriber-leve...

CVE-2025-12062 WP Maps <= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fcloadtemplate function. This makes it possible for authenticated attackers, with Subscriber-leve...

PT-2026-8389

Name of the Vulnerable Software and Affected Versions WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress versions prior to 4.8.7 Description The WP Maps plugin for WordPress is susceptible to a Local File Inclusion issue. This allows...

CVE-2026-26188

The vulnerability CVE-2026-26188 affects Solspace Freeform plugin for Craft CMS 5.x. An authenticated, low-privilege user who can create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel builder and integrations views. User-controlled form labels and integration metadata are re...

CVE-2026-24426

Shenzhen Tenda AC7 firmware version V03.03.03.01cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim’s browser...

SUSE CVE-2025-45160

A HTML injection vulnerability exists in the file upload functionality of Cacti , , into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27...

DEBIAN-CVE-2026-24476

Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with " prematurely ends the tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue...

CVE-2026-24476

Shaarli (personal bookmarking service) is affected by CVE-2026-24476 prior to version 0.16.0. A malicious tag beginning with a double quote (") prematurely ends the start-page input tag and injects arbitrary HTML, enabling a possible XSS. The issue is fixed in version 0.16.0. Public references in...

CVE-2025-57681

The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. The vulnerability is exploited via a specially crafted paylo...

CVE-2025-57681

The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. The vulnerability is exploited via a specially crafted paylo...

CVE-2026-1011

A stored cross-site scripting XSS vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST...

CVE-2023-45540

An issue in Jorani Leave Management System 1.0.3 allows a remote attacker to execute arbitrary HTML code via a crafted script to the comment field of the List of Leave requests page...

CVE-2018-1000113

A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript...

CVE-2023-4241

lol-html can cause panics on certain HTML inputs. Anyone processing arbitrary 3rd party HTML with the library is affected...

CVE-2024-34707

Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the BANNERTOP, BANNERBOTTOM, and BANNERLOGIN configuration settings via the /admin/constance/config/ endpoint. Normally these settings are used to provide custom banner text at...