CVE-2026-10531

CVE-2026-10531 concerns the AI Share & Summarize WordPress plugin, affected older releases prior to 2.0.4. The vulnerability stems from insufficient sanitization/escaping of some shortcode attributes, specifically title_style, before output. This enables a stored Cross‑Site Scripting (XSS) attack...

CVE-2026-8622

The CVE-2026-8622 entry concerns the WordPress plugin Image Sizes on Demand (versions affected: all up to and including 1.3). The vulnerability is a Reflected Cross-Site Scripting (XSS) via the PHP_SELF server variable caused by insufficient input sanitization and output escaping. It allows unaut...

CVE-2026-8865

CVE-2026-8865 affects the Avalon23 Products Filter for WooCommerce WordPress plugin (

CVE-2026-8628

The CVE-2026-8628 entry concerns the EntreDroppers WordPress plugin (versions up to 1.1.2). A Reflected Cross-Site Scripting flaw arises from insufficient input sanitization and output escaping of PHP_SELF, allowing unauthenticated attackers to inject scripts via attacker-controlled path-info in ...

CVE-2026-10092

The Cincopa video and media plugin for WordPress (versions up to 1.163) is vulnerable to unauthenticated Stored Cross-Site Scripting via the cincopa shortcode in post comments. The root cause is insufficient input sanitization and output escaping, enabling unauthenticated visitors who can post co...

CVE-2026-10091

The CVE-2026-10091 entry concerns the WordPress Email JavaScript Cloak plugin (

CVE-2026-8905

The Osiris Signature Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious...

CVE-2026-11614

Technical details (affected versions, root cause, exploit specifics) are not publicly available in the provided documents. Monitor for updates.

CVE-2026-3652

CVE-2026-3652: The ARForms WordPress plugin is vulnerable to an Unauthenticated Stored Cross-Site Scripting (XSS) via the value parameter of the arf_save_incomplete_form_data AJAX action. Affected are all versions up to 7.1.3. The root cause is insufficient input sanitization and output escaping,...

EUVD-2026-38631

Fortra File Integrity Monitoring FIM, formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting XSS vulnerability in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or database configuration fields...

python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module

A flaw was found in Python's http.cookies module. The Morsel.jsoutput function, responsible for generating JavaScript output for cookies, does not properly neutralize the HTML sequence. This oversight could allow a remote attacker to inject malicious script into a web page, potentially leading to...

CVE-2026-56785

FlatPress is affected by a stored cross-site scripting (XSS) vulnerability in comment and contact forms. Versions prior to commit 10be83c (FlatPress) render the name, URL, and email fields without proper output encoding in Smarty templates, allowing an attacker to inject arbitrary HTML/JavaScript...

CVE-2026-56785

FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields ...

CVE-2026-12163 Stored XSS in Fortra File Integrity Monitoring (FIM)

Fortra File Integrity Monitoring FIM, formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting XSS vulnerability in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or database configuration fields...

CVE-2026-12163

Fortra File Integrity Monitoring FIM, formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting XSS vulnerability in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or database configuration fields...

EUVD-2026-38395

Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS...

EUVD-2026-37008

Slim has Reflected XSS in the HtmlErrorRenderer...

CVE-2026-46547

CVE-2026-46547 (NocoDB) is a reflected XSS in the Page Leaving Warning page. The issue arises because the query parameters ncRedirectUrl and ncBackUrl are used in window.location.href and in an tag href without proper validation, allowing javascript: URI injection. Exploitation could enable arbi...

CVE-2026-47376

CVE-2026-47376 (NocoDB) describes a reflected XSS on the password-reset flow. Before 2026.04.1, the token from the password-reset URL was directly embedded into a JavaScript string in a server-rendered EJS template, which does not escape single quotes or backslashes. This allowed an attacker-cont...

CVE-2026-47383

CVE-2026-47383 affects NocoDB prior to 2026.05.1, where an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The root cause is that write paths persisted the raw comment body with no server-side sa...