Lucene search
K

114 matches found

ATTACKERKB
ATTACKERKB
added 2026/07/06 10:16 a.m.6 views

CVE-2025-8591

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can...

6.1CVSS6AI score0.00161EPSS
Exploits0References2Affected Software8
EUVD
EUVD
added 2026/07/06 10:16 a.m.6 views

EUVD-2025-210428

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can...

6.1CVSS6AI score0.00161EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:42 p.m.10 views

CVE-2025-6024

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious...

6.1CVSS5.5AI score0.0023EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 6:48 p.m.8 views

CVE-2024-4867

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site...

5.4CVSS5.2AI score0.00195EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/22 9:45 p.m.10 views

CVE-2026-41147

NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting XSS vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/22 9:45 p.m.30 views

CVE-2026-41147

CVE-2026-41147 (NukeViet CMS) is a stored XSS issue affecting NukeViet CMS versions up to 4.5.08, caused by insufficient server-side input sanitization in the Request class. The app relies on client-side filtering for user-submitted HTML, which can be bypassed by altering HTTP requests. Attackers...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/15 4:45 p.m.9 views

Cross-site Scripting (XSS)

Overview nukeviet/nukeviet is a the first opensource CMS in Vietnam. Affected versions of this package are vulnerable to Cross-site Scripting XSS via insufficient server-side input sanitization in the Request class. An attacker can execute arbitrary scripts in the context of another user's browse...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References2
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/21 12:0 a.m.31 views

Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints

All WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking CSWSH. Combined with the fact that authentication tokens are stored in browser cookies set via JavaScript without HttpOnly or explicit...

8.1CVSS5.8AI score0.00176EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2026/04/20 9:16 p.m.6 views

CVE-2026-34403

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking CSWSH. Combined with the fact that authentication tokens...

8.1CVSS0.00176EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/20 8:16 p.m.5 views

CVE-2026-34403

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking CSWSH. Combined with the fact that authentication tokens...

6.9CVSS5.7AI score0.00176EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/04/16 12:31 p.m.6 views

EUVD-2024-55547

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site...

5.4CVSS5.7AI score0.00195EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/16 12:31 p.m.6 views

EUVD-2025-209497

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious...

6.1CVSS5.7AI score0.0023EPSS
Exploits0References2
CVE
CVE
added 2026/04/16 9:48 a.m.9 views

CVE-2025-6024

CVE-2025-6024 affects multiple WSO2 products, where the authentication endpoint fails to encode user-supplied input before rendering, enabling a Cross-Site Scripting (XSS) vector in the authentication flow. The vulnerability arises from improper input encoding at the end-user page, allowing an at...

6.1CVSS5.7AI score0.0023EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/16 9:32 a.m.5 views

CVE-2024-4867 Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site...

5.4CVSS5.7AI score0.00195EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.5 views

PT-2026-33303

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site...

5.4CVSS5.7AI score0.00195EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/12/09 8:7 a.m.27 views

CVE-2025-41752 Reflected XSS vulnerability in pxc_portSfp.php

An XSS vulnerability in pxcportSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management WBM. The vulnerability does not provide access to system-level...

7.1CVSS0.08549EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/11/07 1:46 p.m.8 views

CVE-2025-5770

A reflected cross-site scripting XSS vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling...

6.1CVSS6AI score0.00202EPSS
Exploits0References1
OSV
OSV
added 2025/11/05 8:15 p.m.7 views

CVE-2025-10853

A reflected cross-site scripting XSS vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful...

6.1CVSS5.7AI score
Exploits0References1
Cvelist
Cvelist
added 2025/11/05 7:2 p.m.14 views

CVE-2025-5770 Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products

A reflected cross-site scripting XSS vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling...

6.1CVSS0.00202EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/10/12 12:0 a.m.5 views

HCL Unica Platform 安全漏洞

HCL Unica Platform is a state-of-the-art enterprise automated marketing platform from HCL India. It handles routine marketing tasks and captures the most effective leads without the need for manual intervention. HCL Unica Platform suffers from a security vulnerability that stems from cookies not...

4.3CVSS6.7AI score0.00129EPSS
Exploits0References1
Rows per page
Query Builder