932 matches found
PT-2026-45703
The hiWeb Migration Simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'new domain' parameter in all versions up to, and including, 2.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2026-42681
CVE-2026-42681 affects the WordPress plugin e2pdf (versions up to 1.32.14). The issue is a Reflected XSS due to improper neutralization during web page generation, enabling cross-site scripting. CVSSv3.1 base score 7.1 (HIGH) with Network attack vector, Low confidentiality/integrity/availability ...
WordPress Enfold theme <= 7.1.4 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Enfold versions = 7.1.4...
EUVD-2026-33547
An improper neutralization of user-controllable input in OTRS or OTRS Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting XSS attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into...
CVE-2026-9646 ScadaBR Unauthenticated Reflected Cross-Site Scripting
A reflected cross-site scripting issue exists in URL handling...
CVE-2024-47097 Reflected Cross-Site Scripting in Follet School Solutions Destiny
Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do...
CVE-2024-47097 Reflected Cross-Site Scripting in Follet School Solutions Destiny
Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do...
CVE-2025-22741
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RiceTheme Felan Framework allows Reflected XSS. This issue affects Felan Framework: from n/a through 1.1.3...
CVE-2026-8707 NS Product icon badge <= 1.2.4 - Reflected Cross-Site Scripting via PHP_SELF
The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...
CVE-2026-6864 CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site Scripting via 'page' Parameter
The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2026-48230
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdbimport.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix,...
CVE-2026-48230 Open ISES Tickets < 3.44.2 Reflected XSS via ticketsmdb_import.php Multiple POST Parameters
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdbimport.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix,...
CVE-2026-48219
Open ISES Tickets prior to 3.44.2 has a reflected cross-site scripting flaw in ics202.php, where an unsanitized frm_add_str POST value is echoed into a hidden input, enabling an authenticated attacker to inject JavaScript in the response. Affected version range is before 3.44.2; patch/upgrade to ...
CVE-2026-48213
Open ISES Tickets prior to 3.44.2 has a reflected XSS in add.php via the ticket_id POST parameter, injecting unsanitized values into an HTML form input value attribute. Authenticated attackers can craft a request to execute JavaScript in the victim’s browser when the response renders. The issue i...
PT-2026-42503
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the type POST parameter directly into an HTML form hidden input value attribute. Attacker...
CVE-2026-35010
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientJF.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into a JavaScript variable assignment. Attackers...
CVE-2026-35013
Open ISES Tickets prior to 3.44.2 is affected by a reflected XSS in street_view.php. The vulnerability lets authenticated attackers inject arbitrary JavaScript by passing unsanitized values in thelat and thelng GET parameters, which get embedded into JavaScript variable assignments and executed i...
CVE-2026-35012
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in addfacnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into a hidden input field VALUE attribute...
CVE-2026-35009
Open ISES Tickets prior to 3.44.2 is affected by a reflected XSS in add_note.php via the ticket_id GET parameter. An attacker who is authenticated can craft a URL containing a JavaScript payload in ticket_id, which is then injected into a hidden input VALUE attribute and can execute in the victim...
CVE-2026-35007
Open ISES Tickets