Lucene search
K

91977 matches found

CVE
CVE
added yesterday14 views

CVE-2026-54458

CVE-2026-54458 (AVideo YPTSocket XSS) affects WWBN’s AVideo with the YPTSocket plugin (versions prior to 29.0). The vulnerability is an unauthenticated stored DOM XSS: getWebSocket.json.php issues a signed WebSocket token; MessageSQLiteV2::onOpen reads webSocketSelfURI and page_title from the Web...

9.6CVSS6.3AI score
Exploits0References2
CVE
CVE
added yesterday22 views

CVE-2026-49279

CVE-2026-49279 (WWBN AVideo) describes a stored XSS in the WebSocket messaging system. The vulnerability arises because MessageSQLite.php only strips autoEvalCodeOnHTML from json["msg"], while msgToResourceId() favors json over msg, allowing an attacker to place the payload in json and bypass san...

7.7CVSS6.3AI score0.0013EPSS
Exploits0References2
CVE
CVE
added yesterday13 views

CVE-2026-45738

CVE-2026-45738 : Argo CD contains a Stored XSS in link.argocd.argoproj.io/* annotations that can be rendered as anchor href values in the Summary tab, enabling javascript: execution for a higher-privileged user in the origin session when there is application write access. This is fixed in Argo CD...

7.3CVSS6.2AI score0.00037EPSS
Exploits0References7
CVE
CVE
added yesterday7 views

CVE-2026-49867

DataEase (open source data visualization tool) contains an authenticated stored XSS in template static resources prior to version 2.10.23. The flaw occurs when authenticated users submit TemplateManageRequest.staticResource via POST /de2api/templateManage/save or via DataVisualizationServer.decom...

6.3CVSS6.1AI score0.00032EPSS
Exploits0References3
CVE
CVE
added yesterday9 views

CVE-2026-45535

DataEase (open source data visualization/analysis tool) contains a stored SQL injection in SQL-type datasets prior to version 2.10.23. The vulnerability arises because attacker-controlled SQL variable defaultValue entries (e.g., ${var}) are stored and SqlparserUtils.handleVariableDefaultValue() i...

8.7CVSS6.1AI score0.00017EPSS
Exploits0References3
CVE
CVE
added yesterday11 views

CVE-2026-62378

RustFS Console is affected in versions 0.1.7–0.1.10. The vulnerability lies in the components/object/preview-modal.tsx and components/object/pdf-viewer.tsx extension-based PDF preview path, which can render HTML content uploaded as .pdf, enabling a stored XSS in the management console. This can l...

9CVSS6AI score
Exploits0References3
CVE
CVE
added yesterday9 views

CVE-2026-1562

The CVE-2026-1562 entry concerns Pega Platform versions 8.1.0 through 25.1.2 with a Stored Cross‑site Scripting (XSS) vulnerability in a user interface component. The flaw arises in a UI component and requires a high-privilege user with a developer role to exploit. Affected versions and impact ar...

4.6CVSS6.1AI score
Exploits0References1
Cvelist
Cvelist
added yesterday9 views

CVE-2026-1562 Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting XSS vulnerability in a user interface component. Requires a high privileged user with a developer role...

4.6CVSS
Exploits0References1
OSV
OSV
added yesterday7 views

BIT-PROMETHEUS-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

6.1CVSS5.9AI score0.0024EPSS
Exploits0References4
NVD
NVD
added yesterday3 views

CVE-2026-56398

Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs...

8.5CVSS
Exploits0References2
Cvelist
Cvelist
added yesterday8 views

CVE-2026-58077 Joomla Extension - weeblr.com - Unauthenticated stored XSS in 4Analytics < 5.0.2

The Joomla extension 4Analytics is vulnerable to an unauthenticated stored XSS. A specially crafted unauthenticated request may result in website takeover under some circumstances...

8.7CVSS0.00418EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-58077

The Joomla extension 4Analytics is vulnerable to an unauthenticated stored XSS. A specially crafted unauthenticated request may result in website takeover under some circumstances...

8.7CVSS6.1AI score0.00418EPSS
Exploits0References2Affected Software1
Nuclei
Nuclei
added yesterday88 views

Rukovoditel <= 3.2.1 - Cross Site Scripting

A stored cross-site scripting XSS vulnerability in the Global Variables feature /index.php?module=globalvars/vars of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create". id:...

5.4CVSS6.3AI score0.00874EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday54 views

Limit Login Attempts WordPress - Stored Cross-site Scripting

Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...

6.1CVSS6.4AI score0.01595EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday65 views

WBCE CMS v1.5.4 - Cross Site Scripting (Stored)

A cross-site scripting XSS vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. id: CVE-2022-45038 info: name: WBCE CMS v1.5.4 - Cross Site Scripting Stored author:...

5.4CVSS6.3AI score0.01024EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday74 views

Rukovoditel <= 3.2.1 - Cross Site Scripting

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the Add Announcement function at /index.php?module=helppages/pages&entitiesid=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...

5.4CVSS6.4AI score0.01046EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday83 views

Duplicate Page WordPress - Stored Cross-Site Scripting

Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...

4.8CVSS6.1AI score0.0087EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday7 views

Payara Server - Cross-Site Scripting

Payara Server versions 4.1.2.191.54, 5.83.0, 6.34.0, and 7.2026.1 contain a stored XSS vulnerability caused by improper input sanitization in the REST Management Interface. This allows attackers to mislead administrators into changing the admin password via a URL payload; however, the exploit...

9.3CVSS6.1AI score0.01002EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday22 views

Popup4Phone <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting

Popup4Phone WordPress plugin through 1.3.2 contains a reflected cross-site scripting caused by unsanitized parameters, letting unauthenticated users execute scripts in admin browsers, exploit requires sending crafted requests. id: CVE-2024-3231 info: name: Popup4Phone = 1.3.2 - Unauthenticated...

6.1CVSS6.1AI score0.00684EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday23 views

LiteSpeed Cache <= 6.5.0.2 - Stored XSS

LiteSpeed Technologies LiteSpeed Cache versions up to 6.5.0.2 contain a stored cross-site scripting caused by improper input neutralization during web page generation, letting attackers execute malicious scripts in victim browsers, exploit requires storing malicious input. id: CVE-2024-47374 info...

7.1CVSS6.1AI score0.0138EPSS
Exploits0References2
Rows per page
Query Builder