91166 matches found
CVE-2026-54093
CVE-2026-54093 affects File Browser prior to v2.63.6, where archive entry names for zip/tar are built using Windows-style backslashes. On Linux, backslashes are preserved in names, allowing a Windows-style traversal like ....\evil.txt to be written on disk and then emitted verbatim in the archive...
CVE-2026-48940
A Joomla user with K2 "create item" rights Author tier by default can submit an article whose embedVideo POST field contains a raw tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page...
CVE-2026-48940 Joomla Extension - getk2.com - Stored-XSS in K2 extension for Joomla < 2.26
A Joomla user with K2 "create item" rights Author tier by default can submit an article whose embedVideo POST field contains a raw tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page...
CVE-2026-48942 Joomla Extension - getk2.com - Stored-XSS in K2 extension for Joomla < 2.26
K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...
CVE-2026-48942 Joomla Extension - getk2.com - Stored-XSS in K2 extension for Joomla < 2.26
K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...
CVE-2026-57534
Summary: CVE-2026-57534 affects the pretix-pages plugin, where malicious HTML content can be injected into a page’s content, causing a stored XSS condition. The root cause is described as unsafe handling of page content within the plugin; exploitation details are not provided beyond the stored-XS...
CVE-2026-13314
Summary (CVE-2026-13314) : The issue is a Stored XSS in the pretix-digital plugin. Malicious HTML content can be injected into content rendered by the plugin, enabling an attacker to influence client-side content in the affected flow. Connected records (NVD and CVE list) concur on the same descri...
CVE-2026-13314 Stored XSS in pretix-digital
Malicious HTML content could be injected into the content rendered by the pretix-digital plugin...
CVE-2026-5305
The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks...
CVE-2026-5305 Email Address Encoder (Free < 1.0.25, Premium < 0.3.12) - Unauthenticated Stored XSS
The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks...
CVE-2026-5305
The CVE-2026-5305 issue affects the WordPress plugins Email Address Encoder (free) prior to 1.0.25 and Email Encoder Premium prior to 0.3.12. The root cause is improper handling of email replacement, which can allow unauthenticated attackers to perform Stored XSS. Impact per sources is high (CVE-...
WordPress Core <6.5.2 - Cross-Site Scripting
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. id: CVE-2024-4439 info: name: WordPress Core 6.5.2 - Cross-Site Scripting author: nqdung2002 severity: hi...
SEH utnserver Pro/ProMAX/INU-100 20.1.22 - Cross-Site Scripting
A vulnerability was found in utnserver Pro, utnserver ProMAX, and INU-100 version 20.1.22 and earlier, affecting the device description parameter in the web interface. This flaw allows stored cross-site scripting XSS, enabling attackers to inject JavaScript code. The attack can be executed remote...
WBCE CMS v1.5.4 - Cross Site Scripting (Stored)
A cross-site scripting XSS vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. id: CVE-2022-45038 info: name: WBCE CMS v1.5.4 - Cross Site Scripting Stored author:...
osTicket < 1.12.1 - Cross-Site Scripting
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the...
Microweber <1.2.12 - Stored Cross-Site Scripting
Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. id: CVE-2022-0963 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microweber prior to 1.2.12 contains a stored...
Backdrop CMS version 1.23.0 - Stored Cross Site Scripting
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via the 'Card' content. id: CVE-2022-42094 info: name: Backdrop CMS version 1.23.0 - Stored Cross Site Scripting author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 w...
Limit Login Attempts - Stored Cross-Site Scripting
Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...
Limit Login Attempts WordPress - Stored Cross-site Scripting
Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...
Duplicate Page WordPress - Stored Cross-Site Scripting
Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...