PT-2026-23131

Name of the Vulnerable Software and Affected Versions OoohBoi Steroids for Elementor plugin for WordPress versions up to and including 2.1.24 Description The OoohBoi Steroids for Elementor plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with...

CVE-2019-25502

Simple Job Script contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the jobtypevalue parameter in the jobs endpoint. Attackers can craft requests with SVG payload injection to execute arbitrary JavaScript in victim...

EUVD-2026-9376

The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justifiedgallerytheme' parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2026-1236

The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justifiedgallerytheme' parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper HTML encoding of page names in search results. An attacker can execute arbitrary JavaScript in the context of users viewing the affected search results by injecting malicious scripts through the pag...

CVE-2026-28357

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI:: patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patche...

CVE-2026-1945

The CVE-2026-1945 entry concerns the WPBookit WordPress plugin. A Stored Cross-Site Scripting (XSS) vulnerability affects the plugin via the wpb_user_name and wpb_user_email parameters in all versions up to and including 1.0.8, caused by insufficient input sanitization and output escaping. Exploi...

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS prior to 9.4.8 contained a security vulnerability. This vulnerability stemmed from a stored-cross-site scripting vulnerability in the Switch Language block, which could allow malicious...

CVE-2026-24415

CVE-2026-24415 affects OpenSTAManager v2.9.8 and earlier, exposing multiple modules (contratti, preventivi, fatture, ddt, ordini, interventi) to Reflected XSS via the GET parameter righe in the modifica_iva.php modals. The vulnerability echoes $_GET['righe'] directly into HTML value attributes wi...

Cross-site Scripting (XSS)

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the createDOMPurify function, via comments embedded in XML textarea attributes containing scripts. Details Cross-site scripting or XSS is a code...

Cross-site Scripting (XSS)

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the createDOMPurify function, via comments embedded in XML textarea attributes containing scripts. Details Cross-site scripting ...

GHSA-2WW6-868G-2C56 OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation

Summary The HTML session exporter src/auto-reply/reply/export-html/template.js interpolates img.mimeType directly into attributes without validation or escaping. A crafted mimeType value e.g., x" onerror="alert1 can break out of the attribute context and execute arbitrary JavaScript. Impact An...

GitLab 16.2 < 18.7.5 / 18.8 < 18.8.5 / 18.9 < 18.9.1 (CVE-2026-0752)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an...

Linux Distros Unpatched Vulnerability : CVE-2026-0752

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain...

CVE-2026-28560

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using jsonencode without the JSONHEXTAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break o...

CVE-2026-28560

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using jsonencode without the JSONHEXTAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break o...

CVE-2026-28272

Kiteworks is a private data network PDN. Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface...

CVE-2026-2678

Reflected Cross-Site Scripting XSS on the A3factura web platform, in parameter 'name', parameter 'name', in 'a3factura-app.wolterskluwer.es//incomes/customers' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser...

CVE-2026-26997 ClipBucket v5 has Stored XSS via Collection name

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 59 fixes the issue...

CVE-2026-24351 Stored XSS in PluXml CMS

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but didn't respond with...