EUVD-2026-20757

A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction...

OpenCTI 安全漏洞

OpenCTI is an open-source network threat intelligence platform developed by OpenCTI. Versions of OpenCTI prior to 6.9.5 contained security vulnerabilities. These vulnerabilities stemmed from the improper cleanup of EJS templates in the safeEjs.ts file, allowing users with administrative privilege...

CVE-2026-3438

A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction...

CVE-2026-4332

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due...

CVE-2026-4332 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due...

CVE-2026-4332

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due...

CVE-2026-4300

The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom |...| marker pattern in its fixJsFunction method to embed raw JavaScript function references within JSON-encoded...

CVE-2026-4300

Robo Gallery for WordPress is affected up to version 5.1.3 with a Stored XSS in the Loading Label field (rbs_gallery_LoadingWord). The plugin uses a custom |... | marker in fixJsFunction() to embed raw JS within JSON; json_encode() preserves quotes, then fixJsFunction() strips the markers, turnin...

Hayabusa 跨站脚本漏洞

Hayabusa is an open-source Windows event log forensic and threat hunting tool developed by Yamato Security. Versions prior to Hayabusa 3.8.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from HTML report outputs that had the same cross-site scripting vulnerabilities,...

CVE-2026-39333

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input DateStart and DateEnd into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious U...

CVE-2025-15611

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the addoreditpopupbox function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create ...

CVE-2026-22675 OCS Inventory NG Server Stored XSS via User-Agent

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

CVE-2026-35390

This CVE concerns Bulwark Webmail (self-hosted for Stalwart Mail Server). Before 1.4.11, the reverse proxy (proxy.ts) sent Content-Security-Policy-Report-Only instead of the enforcing Content-Security-Policy, causing XSS protections to log but not block. As a result, an attacker able to inject sc...

Cross-site Scripting (XSS)

Overview glpi/glpi is a free Asset and IT Management Software package with ITIL Service Desk, licenses tracking and software auditing. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the inventory endpoint. An attacker can execute arbitrary JavaScript code in the...

CVE-2026-30251

A reflected cross-site scripting XSS vulnerability in the loginnewpwd.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted URL injected into the codiceazienda parameter...

CVE-2026-34807

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

EUVD-2026-17883

A reflected cross-site scripting XSS vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered...

YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities

Summary Multiple reflected Cross-site Scripting XSS vulnerabilities across both authenticated and unauthenticated portions of the application. These findings present a significant security risk, as they can be leveraged to execute arbitrary JavaScript in a victim’s browser under various contexts...

CVE-2026-3468

A stored Cross-Site Scripting XSS vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowing a remote authenticated attacker as admin user to potentially execute arbitrary JavaScript code...

CVE-2026-3468

A stored Cross-Site Scripting XSS vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowing a remote authenticated attacker as admin user to potentially execute arbitrary JavaScript code...