Lucene search
K

37645 matches found

NVD
NVD
added 2026/07/01 9:17 p.m.7 views

CVE-2026-58263

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/ carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event...

7.2CVSS0.00179EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 9:17 p.m.6 views

CVE-2026-55660

Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler,...

7.6CVSS0.00196EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/01 9:0 p.m.36 views

CVE-2026-55660 TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover

Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler,...

7.6CVSS0.00196EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/01 9:0 p.m.7 views

CVE-2026-55660

Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler,...

7.6CVSS5.7AI score0.00196EPSS
Exploits0References3Affected Software2
CVE
CVE
added 2026/07/01 9:0 p.m.30 views

CVE-2026-55660

CVE-2026-55660 : TinaCMS and Tinacms app prior to versions 2.5.6 / 3.9.3 allow cross-origin postMessage abuse due to window message listeners that do not validate event.origin/source and post to non-specific origins, combined with insufficient URL sanitization in rich-text content. This enables s...

7.6CVSS5.7AI score0.00196EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/01 8:44 p.m.36 views

CVE-2026-55661 TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes

Tina is a headless content management system. In versions prior to @tinacms/mdx 2.1.7 and tinacms 3.9.3, rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs — including case-variant,...

4.8CVSS0.00239EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/07/01 7:33 p.m.5 views

golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting

A flaw was found in golang.org/x/net/html. A remote attacker could exploit this vulnerability by providing specially crafted HTML. When this arbitrary HTML is parsed and rendered, it can result in an unexpected HTML tree, bypassing input sanitization. This can be leveraged to execute Cross-Site...

6.1CVSS6.5AI score0.00178EPSS
Exploits0References8
NVD
NVD
added 2026/07/01 5:16 p.m.5 views

CVE-2026-34098

Guardian language-system fails to sanitize the id GET parameter before inserting it into HTML source and form action attributes in media.php lines 119, 129. An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session...

4.8CVSS0.00147EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/07/01 5:14 p.m.5 views

PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation

A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code Cross-Site Scripti...

8.8CVSS6.2AI score0.0021EPSS
Exploits1References5
EUVD
EUVD
added 2026/07/01 4:2 p.m.8 views

EUVD-2026-41053

Guardian language-system fails to sanitize the id GET parameter before inserting it into multiple HTML form action attributes in textfile.php lines 94, 101, 323, 403, 826, 852. An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session...

4.8CVSS5.8AI score0.00147EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 3:53 p.m.6 views

EUVD-2026-41052

Guardian language-system fails to sanitize the name GET parameter before outputting it into an HTML input value attribute in designer.php line 57. An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session...

4.8CVSS5.8AI score0.00147EPSS
Exploits0References2
NVD
NVD
added 2026/07/01 11:16 a.m.11 views

CVE-2026-12142

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'name' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

7.2CVSS0.00304EPSS
Exploits0References14
RedHat Linux
RedHat Linux
added 2026/07/01 11:9 a.m.5 views

DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization

A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and...

6.1CVSS7.5AI score0.00263EPSS
Exploits1References7
NVD
NVD
added 2026/07/01 8:16 a.m.9 views

CVE-2026-12732

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classwrapperform' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections method at line 98, wher...

6.4CVSS0.00193EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/01 7:55 a.m.7 views

EUVD-2026-40925

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This...

9.5CVSS5.9AI score0.00235EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/01 7:53 a.m.6 views

EUVD-2026-40923

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'nodatamsg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
NVD
NVD
added 2026/07/01 5:16 a.m.7 views

CVE-2026-13731

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'conversation' parameter in all versions up to, and including, 8.4.9 due to insufficient input sanitization and output escaping. This makes it possible f...

7.2CVSS0.00524EPSS
Exploits0References7
NVD
NVD
added 2026/07/01 5:16 a.m.6 views

CVE-2026-13246

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockid' and other shortcode attributes of the 'givewpcampaigncomments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitizati...

6.4CVSS0.00241EPSS
Exploits0References12
NVD
NVD
added 2026/07/01 5:16 a.m.9 views

CVE-2026-12135

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoplayer' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

6.4CVSS0.00205EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/01 3:43 a.m.34 views

CVE-2026-13015 WP Google Review Slider <= 18.1 - Reflected Cross-Site Scripting via 'place' Parameter

The Wp Google Places Review Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter in versions up to, and including, 18.1. This is due to insufficient input sanitization and output escaping in admin/partials/googlecrawldfs.php, where the $GET'place'...

6.1CVSS0.00211EPSS
Exploits0References5
Rows per page
Query Builder