CVE-2026-29971

A reflected cross-site scripting XSS vulnerability exists in WebFileSys version before 2.32.0 and fixed in v.2.32.0. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser via the ftpBack...

CVE-2026-29971

WebFileSys CVE-2026-29971: A reflected XSS in version 2.31.1 (pre-2.32.0) where user-controlled input is reflected into HTML/JavaScript without proper encoding, enabling arbitrary JavaScript execution in the victim’s browser via components such as ftpBackup, authentication input handling, search,...

CVE-2026-41430 Press vulnerable to reflected XSS on login redirection

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting...

CVE-2026-41430 Press vulnerable to reflected XSS on login redirection

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting...

CVE-2025-58920

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Zootemplate Cerato cerato allows Reflected XSS.This issue affects Cerato: from n/a through = 2.2.18...

WordPress Bricks Builder theme <= 2.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by w41bu1 in WordPress Theme Bricks Builder versions = 2.2...

CVE-2026-41200

STIG Manager is an API and web client for managing Security Technical Implementation Guides STIG assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting XSS vulnerability in the OIDC authentication error handling code in src/init.js and...

PT-2026-34595

STIG Manager is an API and web client for managing Security Technical Implementation Guides STIG assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting XSS vulnerability in the OIDC authentication error handling code in src/init.js and...

monetr: Server-side request forgery in Lunch Flow link creation and refresh

Impact A server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream response...

Silverpeas Core has a reflected cross-site scripting vulnerability

A reflected cross-site scripting XSS vulnerability in the AdvancedSearch functionality of Silverpeas Core allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input...

CVE-2026-30139

Silverpeas Core prior to 6.4.6 is affected by a reflected XSS in the AdvancedSearch functionality. Crafted input can execute arbitrary JavaScript in the context of a user’s browser. The description identifies the vulnerable component and version, but does not provide remediation steps or affected...

CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

CVE-2026-41456 Bludit CMS Reflected XSS via Search Plugin

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit...

CVE-2026-27937

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

GHSA-JJ38-H5W5-MVPF October CMS: Reflected XSS via DataTable Form Widget

A reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. Impact - Reflected XSS only, no stored/persistent component - The backend URL prefix is customizable and must be known or guessed ...

October CMS: Reflected XSS via DataTable Form Widget

A reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. Impact - Reflected XSS only, no stored/persistent component - The backend URL prefix is customizable and must be known or guessed ...

CVE-2026-27937 October: Reflected XSS via DataTable Form Widget

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

CVE-2026-27937

CVE-2026-27937 concerns the October CMS platform. Affected versions prior to 3.7.16 and 4.1.16 have a vulnerability in the backend DataTable widget where a query parameter is rendered without proper output escaping, resulting in a reflected Cross-Site Scripting (XSS) condition. The root cause is ...

WordPress GiveWP plugin <= 4.14.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by HuajiHD in WordPress Plugin GiveWP versions = 4.14.2...

EUVD-2025-209538

Cross-Site Scripting XSS vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability can be exploit...