Lucene search
K

357 matches found

OSV
OSV
added 2026/04/09 2:40 p.m.8 views

SUSE-SU-2026:21159-1 Security update for python-gi-docgen

This update for python-gi-docgen fixes the following issues: - CVE-2025-11687: Fixed reflected DOM XSS bsc1251961...

6.1CVSS5.7AI score0.00337EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/06 4:49 p.m.20 views

CVE-2026-35035 CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative...

7.2CVSS0.00455EPSS
Exploits1References1
OSV
OSV
added 2026/04/02 11:21 p.m.4 views

GHSA-CCGF-5RWJ-J3HV TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`

Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...

6.1CVSS6.2AI score0.00358EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/01 10:7 p.m.8 views

CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Blog Post Content Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Description The application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker...

9.1CVSS6.2AI score0.00317EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/04/01 9:29 p.m.18 views

CVE-2026-34569

CI4MS is a CodeIgniter 4–based CMS skeleton. Prior to version 0.31.0.0, it fails to sanitize input when creating/editing blog categories, allowing stored XSS via the category title that is rendered unsafely across public blog/category pages and admin views. The issue is fixed in 0.31.0.0. The CVS...

9.9CVSS5.7AI score0.00324EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/01 9:27 p.m.9 views

CVE-2026-34566

CVE-2026-34566 affects CI4MS, a CodeIgniter 4-based CMS skeleton. Prior to version 0.31.0.0, user-controlled input in Page Management is not properly sanitized, allowing attacker-controlled JavaScript to be stored server-side and later rendered without output encoding in admin page lists and publ...

9.1CVSS5.7AI score0.00269EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/01 9:26 p.m.6 views

CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Manageme...

9.1CVSS5.7AI score0.00269EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/01 9:26 p.m.19 views

CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Manageme...

9.1CVSS0.00269EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/01 9:25 p.m.3 views

CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Manageme...

9.1CVSS5.7AI score0.00307EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/01 9:23 p.m.2 views

CVE-2026-34562 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several...

4.7CVSS5.8AI score0.00274EPSS
Exploits1References2
NVD
NVD
added 2026/04/01 3:16 p.m.12 views

CVE-2025-13535

The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. This is due to insufficient input sanitization and output escaping across multiple widgets and features. T...

6.4CVSS0.00241EPSS
Exploits0References11
Github Security Blog
Github Security Blog
added 2026/04/01 12:9 a.m.10 views

CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Methods Management Fields Global Persistent Payload Execution - Stored Cross-Site Scripting via Unsanitized Method Creation and Management Inputs - Automatic Execution Across All Pages Where Method Is Rendered in Navigation Description The application fai...

9.1CVSS6.3AI score0.00307EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/31 8:49 p.m.4 views

CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

6.4CVSS6.3AI score0.00279EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/30 8:24 p.m.2 views

CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or...

9.1CVSS5.8AI score0.00307EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/30 8:24 p.m.23 views

CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or...

9.1CVSS0.00307EPSS
Exploits1References1
CVE
CVE
added 2026/03/30 8:24 p.m.12 views

CVE-2026-27599

CI4MS (CodeIgniter 4-based CMS skeleton) is affected by a stored DOM XSS in System Settings – Mail Settings. Prior to version 0.31.0.0, fields such as Mail Server, Mail Port, Email Address, Email Password, Mail Protocol and TLS settings accept attacker-controlled input that is stored server-side ...

7.2CVSS5.8AI score0.00358EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/03/30 4:19 p.m.3 views

GHSA-66M2-V9V9-95C3 ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via System Settings – Mail Settings Same-Page Attribute Breakout & Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Mail Settings Configuration Fields Description The application fails to properly sanitize user-controlled input withi...

9.1CVSS6AI score0.00358EPSS
Exploits1References4
OSV
OSV
added 2026/03/26 6:48 p.m.11 views

CVE-2026-33506 DOM-Based XSS in Ory Polis Login Page

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting XSS vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter callbackUrl,...

8.8CVSS6AI score0.00428EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/26 3:3 p.m.5 views

CVE-2026-32277

Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting XSS issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch...

8.7CVSS5.8AI score0.00327EPSS
Exploits0References1
NVD
NVD
added 2026/03/20 8:16 a.m.12 views

CVE-2026-33061

Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescap...

5.8CVSS0.00165EPSS
Exploits1References2
Rows per page
Query Builder