CVE-2026-24833

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and...

CVE-2026-24433

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users...

PT-2026-5042

Name of the Vulnerable Software and Affected Versions DNN formerly DotNetNuke versions 9.0.0 through 9.13.9 DNN formerly DotNetNuke versions 10.0.0 through 10.1.x Description DNN formerly DotNetNuke is an open-source web content management platform. A module friendly name can include scripts that...

PT-2026-5043

Name of the Vulnerable Software and Affected Versions DNN formerly DotNetNuke versions prior to 9.13.10 DNN formerly DotNetNuke versions prior to 10.2.0 Description DNN formerly DotNetNuke is an open-source web content management platform. Prior to versions 9.13.10 and 10.2.0, the module title...

CVE-2020-36960

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like 'alertdocument.cookie' to execute arbitrary JavaScript when the profile is viewed by other users...

EUVD-2020-30854

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like 'alertdocument.cookie' to execute arbitrary JavaScript when the profile is viewed by other users...

Tenda W30E security vulnerabilities

The Tenda W30E is a router produced by the Chinese company Tenda. Versions of the Tenda W30E such as V2 and V16.01.0.195037 had security vulnerabilities. These vulnerabilities stemmed from the lack of the X-Content-Type-Options header in the web management interface, which could lead to browsers...

CVE-2025-71177

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...

CVE-2026-0914

The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lwcontentblock' shortcode in all versions up to, and including, 3.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-14797

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of htmlspecialcharsdecode on taxonomy term names before output, which decodes HTML entities...

GHSA-W7RQ-FGX4-4XCM LavaLite CMS affected by a stored cross-site scripting vulnerability

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...

CVE-2021-47892

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution...

CVE-2018-25116

MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution...

CVE-2021-47897

CVE-2021-47897 affects PEEL Shopping 9.3.0. A stored cross-site scripting vulnerability exists in the address parameter of the change_params.php script, allowing injected JavaScript that runs in the user’s browser on interaction with the address box. CVSS metrics show a high/severe impact under d...

CVE-2021-47892 PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution...

CVE-2018-25116

The CVE-2018-25116 entry pertains to MyBB Thread Redirect Plugin version 0.2.1, which is documented to contain a cross-site scripting (XSS) vulnerability in the custom text input field for thread redirects. Attackers can inject SVG scripts that execute when other users view the thread, enabling a...

CVE-2026-0788

ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this...

CVE-2026-23499

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these...

EUVD-2026-4135

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI key...

CVE-2025-27380

CVE-2025-27380 affects Altium Enterprise Server (AES) 7.0.3. In the Project Release feature, HTML content can be crafted to trigger an HTML injection, allowing an authenticated attacker to execute arbitrary JavaScript in the victim’s browser. The vulnerability stems from unsafe handling of HTML i...