GHSA-JP3Q-WWP3-PWV9 Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue

Summary An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to store...

CVE-2025-47600

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through = 8.3.7...

PT-2026-4209

Cross-Site Request Forgery CSRF vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through = 1.3...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rich text fields fields. An attacker can execute arbitrary scripts in the context of other users by injecting malicious HTML content. Details Cross-site scripting or XSS is a code vulnerability that occu...

CVE-2026-23499

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these...

CVE-2021-47857 Moodle 3.10.3 - 'label' Persistent Cross Site Scripting

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the...

CVE-2025-66523

URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. This issue affects na1.foxitesign.foxit.com: before 2026‑01‑16...

CVE-2026-0608

The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-66523

URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. This issue affects na1.foxitesign.foxit.com: before 2026‑01‑16...

CVE-2025-66523

URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. This issue affects na1.foxitesign.foxit.com: before 2026‑01‑16...

CVE-2025-66523 Reflected Cross-Site Scripting (XSS) Vulnerability in na1.foxitesign.foxit.com via Unsanitized URL Parameters

URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. This issue affects na1.foxitesign.foxit.com: before 2026‑01‑16...

MiracleLinux 9 : redis-6.2.7-1.el9 (AXSA:2023-4604:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-4604:01 advisory. redis: Code injection via Lua script execution environment CVE-2022-24735 redis: Malformed Lua script can crash Redis CVE-2022-24736 Tenable has...

Foxit eSign security vulnerability

Foxit eSign is an electronic signature service software developed by the American company Foxit. Versions of Foxit eSign prior to 2026‑01‑16 contained security vulnerabilities. These vulnerabilities stemmed from URL parameters being directly embedded into JavaScript code or HTML attributes withou...

Starware WorklogPRO – Jira Timesheets security vulnerabilities

The Starware WorklogPRO – Jira Timesheets is a time tracking plugin developed by The Starware company in Turkey. Versions of The Starware WorklogPRO – Jira Timesheets prior to 4.24.1-jira9, 4.24.1-jira10, and 4.24.1-jira11 contained security vulnerabilities. These vulnerabilities were caused by...

MiracleLinux 8 : postgresql:12 (AXSA:2024-7394:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7394:01 advisory. postgresql: Buffer overrun from integer overflow in array modification CVE-2023-5869 postgresql: Memory disclosure in aggregate function calls...

MiracleLinux 3 : httpd-2.2.3-11.4.1AXS3 (AXBA:2008-331:03)

The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXBA:2008-331:03 advisory. - Cross-site scripting XSS vulnerability in proxyftp.c in the modproxyftp module in Apache 2.0.63 and earlier, and modproxyftp.c in the modproxyftp...

CVE-2026-23525

1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting XSS vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data...

EUVD-2026-3146

The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticate...

PT-2026-3358

The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2021-47779

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the...