CVE-2020-36861

The Core Config Manager CCM in Nagios XI versions prior to CCM 3.0.8 / Nagios XI 5.7.5 contains multiple cross-site scripting XSS vulnerabilities in the overlay UI elements and the Notification/Check Period pages. Insufficient validation or escaping of user-supplied input may allow an attacker to...

CVE-2018-25119

Nagios Fusion versions prior to 4.1.5 are vulnerable to cross-site scripting XSS via the "fusionwindow" parameter. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2016-15051

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting XSS via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a...

CVE-2022-50587 Nagios XI < 5.8.9 Stored XSS via Command Names in Apply Config Error Text

Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting XSS via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2022-50588

Nagios XI prior to version 5.8.9 is affected by a stored XSS flaw in the update-checking feature. The vulnerability stems from insufficient validation/escaping of user-supplied input, allowing an attacker to inject and execute arbitrary script in a victim’s browser. Public sources in the provided...

CVE-2021-47690 Nagios XI < 5.8.2 Core Config Manager (CCM) XSS via Overlay Modals

The Core Config Manager CCM in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains multiple cross-site scripting XSS vulnerabilities in Overlay modals. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the conte...

CVE-2023-7323

CVE-2023-7323 affects Nagios Log Server prior to 2024R1, with an XSS vulnerability caused by insufficient validation/escaping of user input in the Create User function. The impact is potential arbitrary script execution in a victim’s browser. Publicly disclosed details across Red Hat, EUVD, and v...

PT-2025-44544

Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting XSS via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

IBM QRadar SIEM 跨站脚本漏洞

IBM QRadar SIEM is a solution from International Business Machines IBM that utilizes security intelligence to protect assets and information from advanced threats. The solution provides oversight of the entire scope of the IT architecture, generates detailed reports on data access and user...

CVE-2025-61931

Pleasanter contains a stored cross-site scripting vulnerability in Body, Description and Comments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser...

CVE-2025-58070

Pleasanter contains a stored cross-site scripting vulnerability in Preview for Attachments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser...

WordPress CF7 Auto Responder Addon plugin cross-site scripting vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in the WordPress CF7 Auto Responder Addon plugin, which stems from the application's lack of effective filtering and escaping of...

CVE-2025-54806

CVE-2025-54806 concerns GROWI up to v4.2.7. A cross-site scripting (CWE-79) flaw exists in the page alert function. When a logged-in user visits a crafted URL, an arbitrary script can execute in the user’s browser. Documented impact is client-side script execution with potential confidentiality/i...

Six Apart Movable Type 跨站脚本漏洞

Six Apart Movable Type is an application from Six Apart USA. Six Apart Movable Type is an application from Six Apart, Inc. that provides features such as multiple users, comments, references TrackBack, topics, and more. A cross-site scripting vulnerability exists in Six Apart Movable Type, which...

WordPress plugin Cinza Grid 跨站脚本漏洞

WordPress Cinza Grid plugin is a lightweight WordPress plugin based on Isotope Waterfall Layout for creating responsive grid layouts that support the presentation of posts, pages or custom content types. WordPress Cinza Grid plugin suffers from a cross-site scripting vulnerability that stems from...

WordPress Ova Advent plugin cross-site scripting vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in the WordPress Ova Advent plugin, which stems from insufficient input cleanup and output escaping, and can be exploited by an...

D-Link Nuclias Connect Cross-Site Scripting Vulnerability

D-Link Nuclias Connect is a network management software from D-Link for centralized management of wireless access points APs, supporting multi-device remote control and reporting capabilities. D-Link Nuclias Connect suffers from a cross-site scripting vulnerability that stems from the application...

WordPress Digiseller plugin cross-site scripting vulnerability

WordPress Digiseller plugin is a plugin that is mainly used to help users integrate digital merchandising features in their websites. A cross-site scripting vulnerability exists in the WordPress Digiseller plugin, which stems from a lack of effective filtering and escaping of the ds shortcode, an...

HCL AION code execution vulnerability (CNVD-2026-16411)

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from a code execution vulnerability that is caused due to a flaw in the content security policy. An attacker can exploit the vulnerability to execute arbitrary scripts inline...

CVE-2025-62508

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s...