PT-2026-23841

The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damedia giglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-27354

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows Stored XSS.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through = 5.0...

GHSA-XRCR-GMF5-2R8J Gogs: Stored XSS via data URI in issue comments

Summary A Stored Cross-site Scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. Details The...

EUVD-2026-9680

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Global Logistics globallogistics allows PHP Local File Inclusion.This issue affects Global Logistics: from n/a through = 3.20...

CVE-2026-28109

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LambertGroup LambertGroup - AllInOne - Content Slider all-in-one-contentSlider allows Reflected XSS.This issue affects LambertGroup - AllInOne - Content Slider: from n/a through = 3.8...

CVE-2026-28091

CVE-2026-28091 affects the WordPress Theme Coleo (ThemeREX) up to version 1.1.7, exposing an unauthenticated Local File Inclusion via improper control of the filename in PHP Include/Require statements. Public reports from multiple sources identify this vulnerability class and assign a high risk (...

CVE-2026-22467 WordPress DeepDigital theme <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in mwtemplates DeepDigital deepdigital allows Reflected XSS.This issue affects DeepDigital: from n/a through = 1.0.2...

CVE-2026-3034 OoohBoi Steroids for Elementor <= 2.1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls

The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the obspaceratlink, obbbadlink, and obteleporterlink URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level...

WordPress plugin Theatre 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-1434

Omega-PSIR is vulnerable to Reflected XSS via the lang parameter. An attacker can craft a malicious URL that, when opened, causes arbitrary JavaScript to execute in the victim’s browser. This issue was fixed in 4.6.7...

CVE-2026-2383

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

CVE-2026-27974 Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mobile App Audio Player)

Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting XSS vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modificatio...

n8n Vulnerable to Stored XSS via Various Nodes

Impact An authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes Form Trigger node, Chat Trigger node, Send & Wait node, Webhook Node, and Chat Node. Scripts injected by...

GHSA-8WPV-6X3F-3RM5 Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name

Summary A stored Cross-site Scripting XSS vulnerability was identified in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the Web...

CVE-2026-3070

A vulnerability was detected in SourceCodester Modern Image Gallery App 1.0. Affected by this vulnerability is an unknown functionality of the file upload.php. The manipulation of the argument filename results in cross site scripting. The attack may be launched remotely. The exploit is now public...

CVE-2025-67733 Valkey Affected by RESP Protocol Injection via Lua error_reply

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same...

CVE-2025-40986

CVE-2025-40986 is a reflected XSS vulnerability in PideTuCita. The flaw enables an attacker to inject JavaScript via a crafted URL targeting the endpoint cookies/indes.php/, potentially allowing theft of session data or unintended actions on behalf of the user. The CVSS metrics indicate Network a...

CVE-2026-23613

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the URI DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXBURIs parameter to...

CVE-2025-67990 WordPress GMap Targeting plugin <= 1.1.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RealMag777 GMap Targeting gmap-targeting allows Reflected XSS.This issue affects GMap Targeting: from n/a through = 1.1.7...

CVE-2025-60183 WordPress Silencesoft RSS Reader Plugin <= 0.6 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in silence Silencesoft RSS Reader external-rss-reader allows Stored XSS.This issue affects Silencesoft RSS Reader: from n/a through = 0.6...