Lucene search
K

5117 matches found

NVD
NVD
added 2026/06/24 7:17 p.m.8 views

CVE-2026-53950

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0...

7.5CVSS0.00204EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.8 views

PT-2026-52074

Name of the Vulnerable Software and Affected Versions @tryghost/activitypub versions prior to 3.1.0 Description The ActivityPub client in Ghost is susceptible to JavaScript injection. This occurs when the client processes posts shared by a maliciously customized ActivityPub server, allowing the...

7.5CVSS6.1AI score0.00204EPSS
Exploits0References5
NVD
NVD
added 2026/06/23 5:17 p.m.8 views

CVE-2026-54302

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the...

7CVSS0.0021EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/23 3:46 p.m.7 views

EUVD-2026-38477

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the...

7CVSS6AI score0.0021EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51608

Name of the Vulnerable Software and Affected Versions FlatPress versions prior to commit 10be83c Description A stored cross-site scripting issue exists in comment and contact forms. The name, URL, and email fields are rendered without proper output encoding in Smarty templates. This allows...

8.4CVSS5.9AI score0.00243EPSS
Exploits0References7
CVE
CVE
added 2026/06/22 2:13 p.m.10 views

CVE-2026-8059

CVE-2026-8059 affects IBM Datacap (versions 9.1.7–9.1.9) and IBM Datacap Navigator (9.1.7–9.1.9). It is a cross-site scripting vulnerability that allows an unauthenticated attacker to embed arbitrary JavaScript in the Web UI, potentially altering functionality and leading to credentials disclosur...

6.1CVSS5.5AI score0.00169EPSS
Exploits0References1Affected Software2
EUVD
EUVD
added 2026/06/22 9:26 a.m.10 views

EUVD-2026-38222

EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load...

5.4CVSS6AI score0.00168EPSS
Exploits0References2
NVD
NVD
added 2026/06/21 2:16 p.m.12 views

CVE-2026-56383

Craft CMS contains a stored cross-site scripting XSS vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account with allowAdminChanges...

4.8CVSS0.00177EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:27 p.m.6 views

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/21 1:26 p.m.6 views

EUVD-2026-38175

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other...

4.8CVSS5.8AI score0.00148EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.24 views

PT-2026-51229

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 and later Description A stored cross-site scripting issue exists in the User Permissions page. The software fails to properly perform HTML escaping when rendering user group names. This allows attackers with...

4.8CVSS5.8AI score0.00148EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.6 views

Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

Overview Craft CMS is vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the...

6.9CVSS6.1AI score0.0033EPSS
Exploits0References3Affected Software1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.3 views

Astra Linux – Vulnerability in Zabbix

A authenticated user can create a link containing reflected JavaScript code for a graph page and send it to other users. The payload can only be executed with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the sa...

4.4CVSS5.8AI score0.00779EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.16 views

PT-2026-51113

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.9 Craft CMS versions 5.0.0-RC1 through 5.9.9 Description Craft CMS is subject to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection via the '/actions/app/resource-js' endpoint. The iss...

9.2CVSS6AI score0.0033EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/18 12:56 p.m.8 views

EUVD-2026-37882

UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing. Because vendor contact attempts were...

5.1CVSS5.3AI score0.00293EPSS
Exploits0References2
CVE
CVE
added 2026/06/18 10:58 a.m.15 views

CVE-2026-40457

The CVE-2026-40457 entry describes a Reflected XSS in LMS (LAN Management System) prior to commit 9c5651b in the dbrecover.php and netremap.php modules, where unsanitized GET parameters are embedded into HTML output. This enables an attacker to inject arbitrary JavaScript when an authenticated us...

2.1CVSS5.3AI score0.00318EPSS
Exploits0References3
NVD
NVD
added 2026/06/17 8:17 p.m.13 views

CVE-2026-48823

Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting XSS vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark Shaare. The malicious...

4.8CVSS0.00115EPSS
Exploits0References2
CVE
CVE
added 2026/06/17 8:6 p.m.13 views

CVE-2026-48823

Technical details are not publicly available in the provided documents. Monitor for updates from Shaarli advisories and releases.

4.8CVSS5.4AI score0.00115EPSS
Exploits0References2
NVD
NVD
added 2026/06/17 1:20 p.m.8 views

CVE-2026-27870

An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat in this case, registration action IS required who has the vulnerable software could, introduce arbitrary JavaScript by injecting a Cross-site Scripting XSS payload into the 'Hostname' field of the configuration...

4.8CVSS0.00293EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/17 8:13 a.m.5 views

CVE-2026-27870 CROSS-SITE SCRIPTING (XSS) VIA MALICIOUS FILE UPLOAD ON REGESTA SMART HD-PLC OF TELDAT

An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat in this case, registration action IS required who has the vulnerable software could, introduce arbitrary JavaScript by injecting a Cross-site Scripting XSS payload into the 'Hostname' field of the configuration...

4.8CVSS5.4AI score0.00293EPSS
Exploits0References5
Rows per page
Query Builder