CVE-2026-8089

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated...

CVE-2025-31013

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themify Folo allows Reflected XSS. This issue affects Themify Folo: from n/a through 1.9.6...

CVE-2025-31013

Technical details for CVE-2025-31013 are not provided in the supplied documents; no affected products, vectors, or remediation details are disclosed here. Monitor for official updates.

CVE-2026-54192

This entry covers CVE-2026-54192: unauthenticated Reflected XSS in the WordPress Popup box plugin (<= 6.2.9). The descriptor indicates an XSS vulnerability when loading or handling inputs in affected plugin paths, with a CVSS v3.1 base score of 7.1 (HIGH) and user interaction required. The pro...

CVE-2026-39597

This CVE covers an unauthenticated, reflected Cross Site Scripting (XSS) in the WordPress WPZOOM Addons for Elementor plugin (versions

CVE-2026-22328

CVE-2026-22328 corresponds to a reflected XSS in WordPress Theme Auto Repair <= 22.6, described as unauthenticated in the Initial description and reflected XSS in the product detail. CVSS shows Network attack vector, no privileges required, low impact to confidentiality/integrity/availability,...

CVE-2026-9570

Summary: CVE-2026-9570 affects the Taskbuilder WordPress plugin prior to 5.0.8. The vulnerability arises because a URL parameter is not properly sanitized before being echoed into inline JavaScript on a frontend page that uses a shortcode, causing a Reflected Cross-Site Scripting (XSS) vulnerabil...

CVE-2026-9570 Taskbuilder < 5.0.8 - Reflected XSS via Shortcode

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user...

CVE-2026-8089

CVE-2026-8089 affects the weMail plugin for WooCommerce (WordPress) prior to version 2.1.3. The issue is a reflected Cross-Site Scripting (XSS) vulnerability caused by not escaping a user-supplied parameter before reflecting it into an HTML attribute in a non-nonce-protected AJAX response. This a...

PT-2026-50557

Name of the Vulnerable Software and Affected Versions marimo versions prior to 0.23.9 Description A reflected cross-site scripting issue exists in the notebook page. Unauthenticated attackers can inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query...

Bosch Security Systems IP Cameras Reflected Cross-site Scripting (CVE-2021-23854)

An error in the handling of a page parameter in Bosch IP cameras may lead to a reflected cross site scripting XSS in the web-based interface. This issue only affects versions 7.7x and 7.6x. All other versions are not affected. This plugin only works with Tenable.ot. Please visit...

Zoho manageengine - Cross-Site Scripting

Zoho manageengine is vulnerable to reflected cross-site scripting. This impacts Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 via the...

PT-2026-50169

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.24.0 Description An endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers. This allows for reflected Cross-Site...

PT-2026-49731

Name of the Vulnerable Software and Affected Versions Astro versions prior to 6.3.3 Description When a component utilizes a client: directive, the software inserts named slot content into a data-astro-template attribute without performing HTML escaping on the slot name. This allows an attacker to...

CVE-2026-48157 Slim has Reflected XSS in the HtmlErrorRenderer

Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle and/or setDescription to include untrusted/request-derived data in the error title or description e.g. "No products found...

CVE-2026-48157

Slim PHP framework (versions 4.4.0–4.15) is affected by an HTML/JavaScript injection in error pages when HttpException::setTitle() and/or setDescription() are fed with untrusted data. The issue can occur in HTML error pages generated by Slim and is present even with displayErrorDetails = false; v...

CVE-2026-39514 WordPress Paid Member Subscriptions plugin <= 2.17.3 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Paid Member Subscriptions = 2.17.3 versions...

CVE-2025-68872

CVE-2025-68872 is a reflected XSS vulnerability in the WordPress plugin “Eli's WordCents adSense Widget with Analytics” (versions

CVE-2026-49294

Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting XSS due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, t...

web-vuln-scanner

Web Vulnerability Scanner Basic web application vulnerability...