EUVD-2026-38687

The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

EUVD-2026-38671

The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...

WordPress Email Newsletter - Reflected XSS

WordPress Email Newsletter plugin through 1.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to cra...

Contact Form 7 Math Captcha <= 2.0.1 - Cross-site Scripting

The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users. id: CVE-2024-6517 info: name: Contact Form 7 Math Captcha =...

Wordpress Multiple Themes - Reflected Cross-Site Scripting

All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before 1.8.6, Brain Power WordPress theme through 1.2,...

Mara CMS 7.5 - Cross-Site Scripting

Mara CMS 7.5 allows reflected cross-site scripting in contact.php via the theme or pagetheme parameters. id: CVE-2020-24223 info: name: Mara CMS 7.5 - Cross-Site Scripting author: pikpikcu severity: medium description: Mara CMS 7.5 allows reflected cross-site scripting in contact.php via the them...

Resourcespace - Cross-Site Scripting

ResourceSpace before 9.6 rev 18290 is affected by a reflected cross-site scripting vulnerability in plugins/wordpresssso/pages/index.php via the wordpressuser parameter. id: CVE-2021-41951 info: name: Resourcespace - Cross-Site Scripting author: coldfish severity: medium description: ResourceSpac...

Simple Certain Time to Show Content - Cross-Site Scripting

Simple Certain Time to Show Content WordPress plugin 1.3.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute arbitrary scripts in the context of high privilege users such as admin, explo...

GP Premium <= 2.4.0 - Cross-Site Scripting

The GP Premium plugin for WordPress up to 2.4.0 is vulnerable to reflected XSS via the 'message' parameter in inc/verify.php lines 95-101, where a message passed with slactivation=false is URL-decoded and used unsanitized in addsettingserror, allowing XSS payloads to be reflected in admin notices...

Journyx 11.5.4 - Reflected Cross Site Scripting

Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application. id: CVE-2024-6892 info: name: Journyx 11.5.4 - Reflected Cross Site Scripting author: DhiyaneshDk severity: medium description: | Attackers can craft a malicious...

CrafterCMS Engine - Cross-Site Scripting

CrafterCMS Engine is vulnerable to reflected cross-site scripting XSS via the transformerName parameter in the /api/1/site/url/transform endpoint, allowing attackers to execute arbitrary JavaScript in the context of the user. id: CVE-2023-4136 info: name: CrafterCMS Engine - Cross-Site Scripting...

PAN-OS - Reflected Cross-Site Scripting

A reflected cross-site scripting XSS vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link.The...

JoomlaUX JUX Real Estate 3.4.0 - Reflected XSS

A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla. It has been classified as problematic. Affected is an unknown function of the file /extensions/realestate/index.php/properties/list/list-with-sidebar/realties. The manipulation of the argument Itemid/jpyearbuilt leads to cross...

iBuildApp <= 0.2.0 - Reflected Cross-Site Scripting

iBuildApp WordPress plugin through 0.2.0 contains a reflected cross-site scripting caused by unsanitized parameter output in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13326 info:...

CVE-2026-54303

n8n is an open source workflow automation platform. Prior to 2.24.0, an endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user...

CVE-2026-54303

Summary of CVE-2026-54303 (n8n): An endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or CSP headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL. Affected component: n8n trigger no...

CVE-2026-11772 Reflected XSS in DRIMO CMS

DRIMO CMS is vulnerable to Reflected XSS via q parameter in searching functionality. An attacker can prepare an URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is in End Of Life phase and will not receive any updates. However, deleting info.php fi...

CVE-2026-10857

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. E-Commerce allows Reflected XSS. This issue affects e-Commerce: before 1.25.01.06...

CVE-2026-12137 SysBasics Customize My Account for WooCommerce <= 4.3.6 - Reflected Cross-Site Scripting via 'tab' Parameter

The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. Thi...

CVE-2026-54386

marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...