Lucene search
K

176 matches found

Nuclei
Nuclei
added yesterday15 views

WSO2 - Server Side Request Forgery

WSO2 products contain SSRF and reflected XSS vulnerabilities in the deprecated Try-It feature accessible only to administrative users, caused by improper URL validation and direct content reflection, letting attackers trick admins into executing arbitrary JavaScript and querying internal services...

5.9CVSS6.2AI score0.00583EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday10 views

AffiliateImporterEb <= 1.0.6 - Reflected XSS

AffiliateImporterEb WordPress plugin through 1.0.6 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12732 info: name: AffiliateImporterEb =...

6.1CVSS6.1AI score0.00521EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday36 views

Podcast Channels < 0.28 - Cross-Site Scripting

The Podcast Channels WordPress plugin was affected by an unauthenticated reflected cross-site scripting security vulnerability. id: CVE-2014-4544 info: name: Podcast Channels 0.28 - Cross-Site Scripting author: daffainfo severity: medium description: The Podcast Channels WordPress plugin was...

6.1CVSS6.4AI score0.03779EPSS
Exploits1References4
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-29519 Lucee CFML Server Reflected XSS via URL Path Parsing

Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads...

8.2CVSS0.00386EPSS
Exploits1References2
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-15297 Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) <= 3.1.77 - Reflected Cross-Site Scripting

The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo formely Sendinblue plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the page parameter in all versions up to, and including, 3.1.77 due to insufficient input sanitization and output escaping. This makes it...

6.1CVSS0.00256EPSS
Exploits0References3
CVE
CVE
added 6 days ago9 views

CVE-2026-58191

Appium base-driver before 10.7.0 unconditionally mounts /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate reflects throwError, comments field, and User-Agent header into HTML without escaping. This enables reflected XSS and arbitrary ...

6.5CVSS6.1AI score0.00285EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:37 p.m.8 views

CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.7AI score0.0024EPSS
Exploits0References5
Debian CVE
Debian CVE
added 2026/07/02 7:37 p.m.7 views

CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.9AI score0.0024EPSS
Exploits0
Cvelist
Cvelist
added 2026/06/24 10:37 p.m.24 views

CVE-2026-39900 Cacti: Reflected XSS via tab parameter in auth_profile.php JavaScript context

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab parameter in the authprofile.php JavaScript context. This issue has been fixed in version 1.2.31...

5.3CVSS0.00155EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 6:0 a.m.17 views

CVE-2026-8172

The CVE-2026-8172 entry concerns the WordPress plugin Simple Basic Contact Form (through 20250114). The issue is a Reflected Cross-Site Scripting vulnerability caused by not escaping user-supplied input before reflecting it in the contact form output on validation errors. Impact described: unauth...

7.1CVSS5.7AI score0.00156EPSS
Exploits0References1
CVE
CVE
added 2026/06/18 12:56 p.m.20 views

CVE-2026-54221

UBB.threads is affected by a Reflected XSS vulnerability (CVE-2026-54221). The issue is confirmed in version 7.7.5 and may affect other versions. The vulnerability allows an attacker to execute arbitrary JavaScript in a victim’s browser when the user clicks a crafted link, with user interaction r...

5.1CVSS5.8AI score0.00293EPSS
Exploits0References2
NVD
NVD
added 2026/06/18 8:16 a.m.11 views

CVE-2026-12137

The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. Thi...

6.1CVSS0.00211EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:24 p.m.11 views

CVE-2026-8245

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" . Any authenticated admin or report viewer with access to...

6CVSS5.5AI score0.00139EPSS
Exploits0References1
OSV
OSV
added 2026/06/05 5:38 a.m.6 views

BIT-AUTHENTIK-2026-42849 authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE Simple Flow Executor in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issu...

9.3CVSS5.3AI score0.00355EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.26 views

PT-2026-45439

Name of the Vulnerable Software and Affected Versions LearnPress versions prior to 4.3.6 Description Improper neutralization of input during web page generation allows for Reflected Cross-Site Scripting XSS, a flaw where an application includes untrusted data in a web page without proper...

7.1CVSS5.9AI score0.00198EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/29 6:15 p.m.36 views

CVE-2026-49375

In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page...

6.1CVSS0.00215EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/22 3:39 a.m.41 views

CVE-2026-6864 CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site Scripting via 'page' Parameter

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS0.00264EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/20 7:40 p.m.32 views

CVE-2026-35015 Open ISES Tickets < 3.44.2 Reflected XSS via do_unit_mail.php the_ticket Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in dounitmail.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the theticket GET parameter directly into a JavaScript variable assignment. Attacker...

5.1CVSS0.00221EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/20 7:39 p.m.11 views

EUVD-2026-31185

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in streetview.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments...

5.1CVSS5.8AI score0.00221EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/20 7:34 p.m.35 views

CVE-2026-35008 Open ISES Tickets < 3.44.2 Reflected XSS via single.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into an HTML attribute. Attackers can craft a...

5.1CVSS0.00221EPSS
Exploits0References3
Rows per page
Query Builder