Lucene search
K

90143 matches found

OSV
OSV
added 3 hours ago1 views

GHSA-XVHC-GM7J-MHMC Shopware: Stored XSS via SVG file upload — no SVG sanitization

SVG files are in the allowedextensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript onload, , executes in the context of the Shopware domain when accessed. The Problem...

4.9CVSS
Exploits0References4
CVE
CVE
added 3 hours ago5 views

CVE-2026-41518

Chartbrew (versions 4.9.0–5.0.0) is affected by a stored DOM XSS in the ChartTooltip rendering path. An authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in ChartDatasetConfig.legend, which is persisted and injected into the tooltip via an unguarded innerHTML ...

7.6CVSS6AI score
Exploits0References1
Github Security Blog
Github Security Blog
added 4 hours ago2 views

WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin

Unauthenticated Stored DOM XSS via pagetitle Broadcast in AVideo YPTSocket Plugin Summary A stored DOM Cross-Site Scripting vulnerability CWE-79 in the AVideo YPTSocket plugin lets any unauthenticated remote attacker execute arbitrary JavaScript in the authenticated origin of every administrator...

6.2AI score
Exploits0References3Affected Software1
OSV
OSV
added 4 hours ago1 views

GHSA-8WHC-2WMV-WW35 WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin

Unauthenticated Stored DOM XSS via pagetitle Broadcast in AVideo YPTSocket Plugin Summary A stored DOM Cross-Site Scripting vulnerability CWE-79 in the AVideo YPTSocket plugin lets any unauthenticated remote attacker execute arbitrary JavaScript in the authenticated origin of every administrator...

9.6CVSS
Exploits0References3
Github Security Blog
Github Security Blog
added 4 hours ago3 views

WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)

AVideo: Stored XSS via autoEvalCodeOnHTML in MessageSQLite WebSocket Handler Summary AVideo has a stored XSS vulnerability in the WebSocket messaging system. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json'msg', but msgToResourceId reads from $msg'json' with higher priorit...

7.2CVSS6AI score0.00023EPSS
Exploits0References3Affected Software1
OSV
OSV
added 4 hours ago1 views

GHSA-C8H8-VQ34-9FW2 WWBN AVideo: Stored XSS via unescaped Gallery category description

Summary AVideo stores category descriptions from user input and later renders categorydescription as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. Th...

5.4CVSS0.00035EPSS
Exploits1References3
EUVD
EUVD
added 4 hours ago11 views

EUVD-2026-33304

WWBN AVideo: Stored XSS via unescaped Gallery category description...

5.4CVSS5.8AI score0.00035EPSS
Exploits1References2
NVD
NVD
added 4 hours ago6 views

CVE-2025-67448

The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the...

7.1CVSS
Exploits0References2
Cvelist
Cvelist
added 8 hours ago5 views

CVE-2026-43984 Tautulli has stored XSS in logFile via guest-controlled log_js_errors input

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose logjserrors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...

8.9CVSS
Exploits0References2
NVD
NVD
added 8 hours ago4 views

CVE-2019-25737

Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie...

7.2CVSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 9 hours ago2 views

CVE-2019-25743

WordPress Soliloquy Lite 2.5.6 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting script tags in the post title field. Attackers can submit POST requests to the post editing endpoint with script payloads in the...

6.4CVSS5.6AI score
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 9 hours ago2 views

CVE-2019-25743 WordPress Soliloquy Lite 2.5.6 Persistent Cross-Site Scripting

WordPress Soliloquy Lite 2.5.6 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting script tags in the post title field. Attackers can submit POST requests to the post editing endpoint with script payloads in the...

6.4CVSS5.6AI score
Exploits0References4
EUVD
EUVD
added 9 hours ago4 views

EUVD-2019-20175

GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the createproposal endpoint that execute when administrators or other...

6.4CVSS5.7AI score
Exploits0References4
Vulnrichment
Vulnrichment
added 9 hours ago3 views

CVE-2019-25737 Live Chat Unlimited 2.8.3 Stored Cross-Site Scripting

Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie...

7.2CVSS5.7AI score
Exploits0References4
Cvelist
Cvelist
added 9 hours ago4 views

CVE-2019-25737 Live Chat Unlimited 2.8.3 Stored Cross-Site Scripting

Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie...

7.2CVSS
Exploits0References4
Nuclei
Nuclei
added 19 hours ago30 views

Microweber <1.2.12 - Stored Cross-Site Scripting

Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. id: CVE-2022-0963 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microweber prior to 1.2.12 contains a stored...

5.7CVSS6AI score0.08256EPSS
Exploits1References5
Nuclei
Nuclei
added 19 hours ago32 views

WBCE CMS v1.5.4 - Cross Site Scripting (Stored)

A cross-site scripting XSS vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. id: CVE-2022-45038 info: name: WBCE CMS v1.5.4 - Cross Site Scripting Stored author:...

5.4CVSS6.2AI score0.0304EPSS
Exploits1References3
Nuclei
Nuclei
added 19 hours ago25 views

Rukovoditel <= 3.2.1 - Cross Site Scripting

A stored cross-site scripting XSS vulnerability in the Dashboard Configuration feature index.php?module=dashboardconfigure/index of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Ad...

5.4CVSS6.2AI score0.05444EPSS
Exploits1References3
Nuclei
Nuclei
added 19 hours ago32 views

Rukovoditel <= 2.7.2 - Cross Site Scripting

A stored cross site scripting XSS vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. id: CVE-2020-35984 info: name: Rukovoditel = 2.7.2 - Cross Site...

5.4CVSS5.8AI score0.01648EPSS
Exploits1References3
Nuclei
Nuclei
added 19 hours ago30 views

ChurchCRM 4.5.3 - Cross-Site Scripting

A stored Cross-site scripting XSS vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. id: CVE-2023-26843 info: name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: | A stored Cross-site scripti...

5.4CVSS6.2AI score0.11478EPSS
Exploits1References5
Rows per page
Query Builder