PT-2026-7224

SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting XSS vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.Th...

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Entry Type Name field in the settings page. An attacker can execute arbitrary JavaScript code in the context of the admin panel by submitting specially crafte...

PT-2026-7180

Name of the Vulnerable Software and Affected Versions vscode-spell-checker versions prior to 4.5.4 Description The vscode-spell-checker extension is susceptible to a workspace-trust bypass that can lead to code execution. The DocumentSettings. determineIsTrusted function incorrectly relies on the...

CVE-2025-63354

Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option when creating a new filter. The device fails to properly handle inputs, allowing an attacker to inject and execute JavaScript...

CVE-2026-24903

OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting XSS vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through...

CVE-2026-25647

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier as used in SiYuan before has a Stored Cross-Site Scripting XSS vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks...

CVE-2026-24903

OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting XSS vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through...

CVE-2026-24903 OrcaStatLLM Researcher Stored Cross-Site Scripting (XSS) via Log Message Injection in Session Page

OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting XSS vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through...

CVE-2026-24903 OrcaStatLLM Researcher Stored Cross-Site Scripting (XSS) via Log Message Injection in Session Page

OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting XSS vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through...

EUVD-2026-5643

OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting XSS vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through...

CVE-2019-25294 html5_snmp 1.11 - 'Remark' Persistent Cross-Site Scripting

html5snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in addrouteroperation.php. Attackers can craft a POST request with a script payload in the Remark field to execute arbitrary JavaScript in victi...

EUVD-2019-19404

html5snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in addrouteroperation.php. Attackers can craft a POST request with a script payload in the Remark field to execute arbitrary JavaScript in victi...

CVE-2019-25294

The vulnerability (CVE-2019-25294) affects html5_snmp 1.11. A persistent cross-site scripting flaw exists in add_router_operation.php via the Remark parameter. An attacker can send a crafted POST request containing a script payload in Remark, causing arbitrary JavaScript to execute in a victim’s ...

EUVD-2025-206888

Mattermost Confluence plugin version 1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connectio...

Reflected DOM-based Cross-Site Scripting (XSS)

gi-docgen is vulnerable to a reflected DOM-based Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user-supplied input in the q GET parameter, which allows an attacker to exploit it via a crafted URL to execute arbitrary JavaScript in the victim’s browser...

CVE-2026-0521

A reflected cross-site scripting XSS vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through...

CVE-2026-0521 Reflected Cross-Site Scripting in PDF Export Error Message

A reflected cross-site scripting XSS vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through...

CVE-2026-0521

CVE-2026-0521 is a reflected XSS in TYDAC AG MAP+ PDF export. Affects MAP+ 3.4.0; an unauthenticated attacker can craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript in the victim’s context. Verified in MAP+: 3.4.0. Remediation: there is no confirmed fixed version ...

CVE-2025-70791

Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The iss...

CVE-2025-70792

Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "relid" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was...