CVE-2023-54364 Joomla HikaShop 4.7.4 Reflected XSS via Product Filter

Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the fromoption, fromctrl,...

CVE-2023-54364

Joomla HikaShop 4.7.4 is affected by a reflected XSS vulnerability in the product filter endpoint. The issue allows unauthenticated attackers to inject scripts via GET parameters (from_option, from_ctrl, from_task, from_itemid). Victims visiting a crafted link can have scripts executed, with pote...

CVE-2023-54363

Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, typeid, distance, facilities, categories, prices, location, and Itemid. Attackers can...

CVE-2023-54363 Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters

Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, typeid, distance, facilities, categories, prices, location, and Itemid. Attackers can...

CVE-2023-54362

Joomla VirtueMart Shopping-Cart 4.0.12 is affected by a reflected XSS in the keyword parameter of the product-variants endpoint. The vulnerability allows an attacker to craft a URL containing a script payload that, when visited by a user, executes arbitrary JavaScript in the victim’s browser and ...

CVE-2023-54361 Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword

Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filterkeyword parameter. Attackers can craft URLs containing JavaScript payloads in the filterkeyword GET parameter of the...

CVE-2023-54362

Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants...

CVE-2023-54360

Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the reviewid URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enablin...

CVE-2023-54360 Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter

Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the reviewid URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enablin...

CVE-2023-54358

CVE-2023-54358 refers to a reflected XSS in WordPress adivaha Travel Plugin 2.3. The vulnerability is triggered via the isMobile GET parameter at /mobile-app/v3/, allowing unauthenticated attackers to craft malicious URLs to execute script in victims’ browsers and potentially steal session tokens...

OPENSUSE-SU-2026:20497-1 Security update for python-gi-docgen

This update for python-gi-docgen fixes the following issues: - CVE-2025-11687: Fixed reflected DOM XSS bsc1251961...

SUSE-SU-2026:21159-1 Security update for python-gi-docgen

This update for python-gi-docgen fixes the following issues: - CVE-2025-11687: Fixed reflected DOM XSS bsc1251961...

CVE-2025-63238

A Reflected Cross-Site Scripting XSS affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user...

PT-2026-31725

WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at...

CVE-2025-63238

CVE-2025-63238 is a reported Reflected Cross‑Site Scripting (XSS) in LimeSurvey prior to 6.15.11+250909. The vulnerability stems from missing validation of the gid parameter in getInstance() within application/models/QuestionCreate.php, allowing an attacker to craft a malicious URL that could com...

CVE-2026-3438

CVE-2026-3438 affects Sonatype Nexus Repository 3.x (versions 3.0.0 through 3.90.2). It is a reflected cross-site scripting vulnerability that lets unauthenticated remote attackers execute arbitrary JavaScript in a victim’s browser via a specially crafted URL. Exploitation requires user interacti...

CVE-2026-39332

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting XSS vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocu...

EUVD-2024-33448

The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg and removequeryarg without appropriate escaping on the URL in all versions up to, and including, 3.11.7. This makes it possible for unauthenticated...

EUVD-2024-33430

The Co-marquage service-public.fr plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 0.5.76. This makes it possible for unauthenticated attackers to inject arbitrary web...

EUVD-2024-33809

The salavat counter Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 0.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...