CVE-2026-8911

CVE-2026-8911 affects the WordPress plugin WP AutoBuzz (versions <= 1.1.1). The root cause is missing/incorrect nonce validation, enabling CSRF that can update settings and write unsanitized data via update_option, leading to a stored XSS via the googleAccount parameter and bypassing DISALLOW_...

CVE-2026-6405

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output...

CVE-2026-25787

Affected devices do not properly validate and sanitize Technology Object TO name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the...

EUVD-2026-27205

The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scrip...

Cross-site Scripting (XSS)

org.apache.activemq, activemq-web is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper neutralization of script-related HTML content in the web console, which allows an attacker to inject and execute malicious HTML/JavaScript by manipulating content type and JMS selecto...

CVE-2026-28263

CVE-2026-28263 affects Dell PowerProtect Data Domain running DD OS Feature Release 7.7.1.0–8.5, LTS2025 8.3.1.0–8.3.1.20, and LTS2024 7.13.1.0–7.13.1.50. It describes a cross-site scripting vulnerability that could be exploited by a high-privilege attacker with remote access, leading to script in...

CVE-2026-4072

The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'amount', 'email'...

EUVD-2026-15940

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

PT-2026-26843

The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This makes it possible for unauthenticated attackers to...

CVE-2026-4083

The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhgshortcode allows arbitrary HTML attributes to be added to the rendered element, with only a...

CVE-2015-20116

The CVE refers to RealtyScript 4.0.2 from Next Click Ventures, where the CSV file upload handling is vulnerable to stored cross-site scripting due to insufficient sanitization of filename parameters in multipart form data. This can allow an attacker to inject XSS payloads that execute in users’ b...

CVE-2019-25316 GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. Attackers can exploit the CreateEvent.php endpoint by sending crafted POST requests with XSS payloads to execute arbitrary...

CVE-2025-65480

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution...

CVE-2025-65480

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution...

CVE-2025-13704

CVE-2025-13704 affects the Autogen Headers Menu WordPress plugin. The issue is a stored cross-site scripting (XSS) in the shortcode parameter head_class used by the autogen_menu shortcode. The vulnerability arises from insufficient input sanitization and output escaping in all versions up to and ...

EUVD-2025-202561

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

PT-2025-48090

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting XSS vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's...

CVE-2025-63420

CrushFTP11 before 11.3.757 is vulnerable to stored HTML injection in the CrushFTP Admin Panel Reports / "Who Created Folder", enabling persistent HTML execution in admin sessions...

CVE-2025-36592

Dell Secure Connect Gateway SCG Policy Manager, versions 5.20. 5.22, 5.24, 5.26, 5.28, contains an Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading...

CVE-2025-59997 Junos Space: Fields in the CLI Configlets are vulnerable to reflected cross-site script injection

An Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the CLI Configlets pages that, when visited by another user, enable the attacker to execute commands with the target's...