CVE-2021-47808

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page...

CVE-2021-47779

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the...

CVE-2021-47808

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page...

svelte vulnerable to Cross-site Scripting

Summary An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML. Details When using the hydratable function, the first argument is used as a k...

GHSA-6738-R8G5-QWP3 svelte vulnerable to Cross-site Scripting

Summary An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML. Details When using the hydratable function, the first argument is used as a k...

CVE-2025-13859

The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savecustomizationsettings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level...

EUVD-2026-2807

The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savecustomizationsettings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-22637

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

PT-2026-3004

Name of the Vulnerable Software and Affected Versions AffiliateX – Amazon Affiliate Plugin versions 1.0.0 through 1.3.9.3 Description The AffiliateX – Amazon Affiliate Plugin for WordPress is susceptible to unauthorized data modification because of a missing capability check on the save...

Cross-site Scripting (XSS)

React Router is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of untrusted input in the meta / APIs during server-side rendering, which allows an attacker to inject malicious script content into generated script:ld+json tags and execute arbitrary JavaScript...

opencode 安全漏洞

opencode is an AI programming intelligence open-sourced by Anomaly. A security vulnerability exists in versions prior to opencode 1.1.10, which stems from the Markdown renderer not cleaning up the LLM response, and could lead to the execution of JavaScript via HTML injection...

Label Studio 访问控制错误漏洞

Label Studio is an open source data labeling tool from Heartex Open Source. Allows you to use a simple and clear UI mark audio, text, images, video and time series and other data types , and exported to a variety of model formats. An access control error vulnerability exists in Label Studio 1.22....

CVE-2023-45889

A Universal Cross Site Scripting UXSS vulnerability in ClassLink OneClick Extension through 10.8 allows remote attackers to inject JavaScript into any webpage. NOTE: this issue exists because of an incomplete fix for CVE-2022-48612...

CVE-2023-4757

The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could...

CVE-2021-27529

A cross-site scripting XSS vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "limit" parameter...

CVE-2021-27530

A cross-site scripting XSS vulnerability in DynPG version 4.9.2 allow remote attacker to inject javascript via URI in /index.php...

CVE-2021-27527

A cross-site scripting XSS vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "valueID" parameter...

CVE-2021-33425

A stored cross-site scripting XSS vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation...

CVE-2021-31930

Persistent cross-site scripting XSS in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the...

CVE-2022-23008

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software...