CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/14 6:27 p.m.•2 views

GHSA-5F64-7VFC-RCX6 Apostrophe has stored XSS via javascript: URL in Image Widget Link

Summary A stored cross-site scripting vulnerability was identified in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the liv...

7.3CVSS5.8AI score

Github Security Blog•added 2026/05/14 6:27 p.m.•4 views

Apostrophe has stored XSS via javascript: URL in Image Widget Link

5.8AI score

Exploits0References3Affected Software1

Snyk•added 2026/05/14 6:27 p.m.•8 views

Improper Encoding or Escaping of Output

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

5.4CVSS6.1AI score

Patchstack•added 2026/05/14 6:27 p.m.•7 views

NPM: Apostrophe has stored XSS via javascript: URL in Image Widget Link

NPM: Apostrophe has stored XSS via javascript: URL in Image Widget Link vulnerability discovered by ? in WordPress Npm apostrophe versions 4.29.0...

5.8AI score

Exploits0References3Affected Software1

Snyk•added 2026/05/14 6:27 p.m.•7 views

Improper Encoding or Escaping of Output

Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An...

5.4CVSS6.1AI score

Snyk•added 2026/05/14 6:26 p.m.•7 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the xmp raw-text passthrough. An attacker can execute arbitrary JavaScript in the browser of another user by submitting specially crafted HTML content that is sanitized and then rendered as trusted output...

6.1CVSS5.8AI score

Exploits0References2

NVD•added 2026/05/14 3:16 p.m.•6 views

CVE-2026-44371

Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2...

5.3CVSS0.00062EPSS

ATTACKERKB•added 2026/05/14 3:2 p.m.•4 views

CVE-2026-44371

Exploits0References2Affected Software1

EUVD•added 2026/05/14 3:2 p.m.•5 views

EUVD-2026-30306

Vulnrichment•added 2026/05/14 3:2 p.m.•6 views

CVE-2026-44371 Open OnDemand: Specially crafted filenames can execute javascript in the file browser

Cvelist•added 2026/05/14 3:2 p.m.•34 views

CVE-2026-44371 Open OnDemand: Specially crafted filenames can execute javascript in the file browser

5.3CVSS0.00062EPSS

CVE•added 2026/05/14 3:2 p.m.•5 views

CVE-2026-44371

Open OnDemand (HPC portal) is affected prior to versions 4.0.11, 4.1.5, and 4.2.2. The issue allows specially crafted filenames to execute JavaScript in the file browser. The vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2. Impact is web/application-level, with JavaScript execution in the file...

NVD•added 2026/05/14 2:16 p.m.•4 views

CVE-2026-1630

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions...

5.1CVSS0.00088EPSS