130 matches found
CVE-2025-70297
A stored cross-site scripting XSS vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser...
Moodle vulnerable to Cross-site Scripting
A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting XSS vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links...
WordPress plugin Seriously Simple Podcasting 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. The WordPre...
CVE-2026-25144 Talishar has a Stored XSS which can lead to data exfiltration & user impersonation
Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6...
📄 WP Flash Player 1.3 Cross Site Scripting
Multiple cross site scripting vulnerabilities exist in WP Flash Player WordPress Plugin version 1.3. This issue is older research added to the archive. WP Flash Player 1.3 - Multiple Cross-site Scripting Advisory ID: RO-15-011 Severity: High Vendor: WordPress Product: WP Flash Player Version: 1.3...
Podcast Generator security vulnerabilities
Podcast Generator is an open-source set of free podcast publishing scripts written in PHP language. Version 3.2.9 of Podcast Generator has a security vulnerability, which stems from a storage-type XSS vulnerability in the function for creating new live projects. This vulnerability could allow for...
PT-2026-4650
SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded...
CVE-2026-1146
A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/apiregisterpatient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The...
CVE-2021-47839
Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code executio...
PT-2026-3057
Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer...
CVE-2025-15204 SohuTV CacheCloud QuartzManageController.java doQuartzList cross site scripting
A vulnerability was determined in SohuTV CacheCloud up to 3.2.0. Affected is the function doQuartzList of the file src/main/java/com/sohu/cache/web/controller/QuartzManageController.java. Executing manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The...
PT-2025-53798
Name of the Vulnerable Software and Affected Versions Hiroaki Miyashita Custom Field Template versions through 2.7.5 Description The software contains a flaw due to improper neutralization of input during web page generation, leading to a Stored Cross-site Scripting issue. This allows for the...
CVE-2025-8769
Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server...
PT-2025-52318
Name of the Vulnerable Software and Affected Versions TinyWebGallery version 2.5 Description TinyWebGallery version 2.5 has a stored cross-site scripting issue. Authenticated attackers can inject malicious scripts through the folder name parameter. Attackers can modify album folder names with...
EUVD-2025-203567
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Gal Dubinski Stars Testimonials stars-testimonials-with-slider-and-masonry-grid allows Stored XSS.This issue affects Stars Testimonials: from n/a through = 3.3.4...
CVE-2025-13355
The URL Shortify WordPress plugin before 1.11.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WBCE CMS 安全漏洞
WBCE CMS is a PHP and MySQL based open source content management system CMS from WBCE CMS Open Source. A security vulnerability exists in WBCE CMS version 1.6.1, which stems from a cross-site scripting vulnerability that could allow an attacker to upload malicious HTML files and capture user...
CVE-2025-67341
jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users...
CVE-2025-13072
The HandL UTM Grabber / Tracker WordPress plugin (versions prior to 2.8.1) is affected by CVE-2025-13072 due to improper sanitization/escaping of a parameter before it is reflected back on the page, enabling a Reflected XSS that could target high-privilege users such as admins. The issue is confi...
CVE-2025-13896
The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the igp-wp shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...