948 matches found
CVE-2026-31382
CVE-2026-31382 (Gainsight Assist) is a reflected XSS in the error_description parameter. An attacker can bypass a domain WAF using a Safari-specific onpagereveal payload, enabling HTML/script injection. Public sources in the connected set confirm the vulnerability type as reflected XSS/HTML injec...
CVE-2026-33136 WeGIA has Reflected Cross-Site Scripting (XSS) in `listar_memorandos_ativos.php` via `sccd` parameter
WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting XSS vulnerability in the listarmemorandosativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter, which is then directly echoed into...
The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI
Impact The Query Monitor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'REQUESTURI' parameter in all versions up to, and including, 3.20.3 due to insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...
CVE-2025-50001 WordPress tagDiv Composer plugin <= 5.4.2 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through = 5.4.2...
EUVD-2026-12763
The CRPaid Link Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts ...
CVE-2026-29520 Hereta ETH-IMC408M Reflected XSS via ping_ipaddr Parameter
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the pingipaddr parameter t...
CVE-2016-20036 Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities
Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like...
CVE-2016-20027 ZKTeco ZKBioSecurity 3.0 Multiple Reflected XSS Vulnerabilities
ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in...
PT-2026-25725
Name of the Vulnerable Software and Affected Versions ZKTeco ZKBioSecurity version 3.0 Description The software contains multiple reflected cross-site scripting issues that permit attackers to run arbitrary HTML and script code. This is achieved by injecting malicious payloads through unsanitized...
Rxss-Scan
Rxss-Scan is a lightwe...
WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by benzdeus in WordPress Plugin Website LLMs.txt versions = 8.2.6...
CVE-2026-2466
The CVE-2026-2466 entry concerns the DukaPress WordPress plugin (affected version up to 3.2.4). The issue arises because the plugin does not sanitise and escape a parameter before reflecting it on the page, enabling a Reflected Cross-Site Scripting (XSS) attack. Impact is stated as potential expl...
CVE-2026-2466
The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CVE-2025-12473
The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2026-2431 CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters
The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'datefrom' and 'dateto' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
Cross-site Scripting (XSS)
Astro is vulnerable to Cross Site Scripting XSS. The vulnerability is due to a Reflected Cross-Site Scripting XSS vulnerability in Astro's development server error pages when the trailingSlash configuration option is used, where an attacker can inject arbitrary JavaScript code that executes in th...
CVE-2026-27375
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in JanStudio Gecko gecko allows Reflected XSS.This issue affects Gecko: from n/a through = 1.9.8...
CVE-2026-1706
The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...
EUVD-2026-9778
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in sizam RH Frontend Publishing Pro rh-frontend allows Reflected XSS.This issue affects RH Frontend Publishing Pro: from n/a through = 4.3.2...
EUVD-2026-9631
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in JanStudio Gecko gecko allows Reflected XSS.This issue affects Gecko: from n/a through = 1.9.8...