91977 matches found
CVE-2026-54458
CVE-2026-54458 (AVideo YPTSocket XSS) affects WWBN’s AVideo with the YPTSocket plugin (versions prior to 29.0). The vulnerability is an unauthenticated stored DOM XSS: getWebSocket.json.php issues a signed WebSocket token; MessageSQLiteV2::onOpen reads webSocketSelfURI and page_title from the Web...
CVE-2026-49279
CVE-2026-49279 (WWBN AVideo) describes a stored XSS in the WebSocket messaging system. The vulnerability arises because MessageSQLite.php only strips autoEvalCodeOnHTML from json["msg"], while msgToResourceId() favors json over msg, allowing an attacker to place the payload in json and bypass san...
CVE-2026-45738
CVE-2026-45738 : Argo CD contains a Stored XSS in link.argocd.argoproj.io/* annotations that can be rendered as anchor href values in the Summary tab, enabling javascript: execution for a higher-privileged user in the origin session when there is application write access. This is fixed in Argo CD...
CVE-2026-49867
DataEase (open source data visualization tool) contains an authenticated stored XSS in template static resources prior to version 2.10.23. The flaw occurs when authenticated users submit TemplateManageRequest.staticResource via POST /de2api/templateManage/save or via DataVisualizationServer.decom...
CVE-2026-45535
DataEase (open source data visualization/analysis tool) contains a stored SQL injection in SQL-type datasets prior to version 2.10.23. The vulnerability arises because attacker-controlled SQL variable defaultValue entries (e.g., ${var}) are stored and SqlparserUtils.handleVariableDefaultValue() i...
CVE-2026-62378
RustFS Console is affected in versions 0.1.7–0.1.10. The vulnerability lies in the components/object/preview-modal.tsx and components/object/pdf-viewer.tsx extension-based PDF preview path, which can render HTML content uploaded as .pdf, enabling a stored XSS in the management console. This can l...
CVE-2026-1562
The CVE-2026-1562 entry concerns Pega Platform versions 8.1.0 through 25.1.2 with a Stored Cross‑site Scripting (XSS) vulnerability in a user interface component. The flaw arises in a UI component and requires a high-privilege user with a developer role to exploit. Affected versions and impact ar...
CVE-2026-1562 Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.
Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting XSS vulnerability in a user interface component. Requires a high privileged user with a developer role...
BIT-PROMETHEUS-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer
Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...
CVE-2026-56398
Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs...
CVE-2026-58077 Joomla Extension - weeblr.com - Unauthenticated stored XSS in 4Analytics < 5.0.2
The Joomla extension 4Analytics is vulnerable to an unauthenticated stored XSS. A specially crafted unauthenticated request may result in website takeover under some circumstances...
CVE-2026-58077
The Joomla extension 4Analytics is vulnerable to an unauthenticated stored XSS. A specially crafted unauthenticated request may result in website takeover under some circumstances...
Rukovoditel <= 3.2.1 - Cross Site Scripting
A stored cross-site scripting XSS vulnerability in the Global Variables feature /index.php?module=globalvars/vars of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create". id:...
Limit Login Attempts WordPress - Stored Cross-site Scripting
Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...
WBCE CMS v1.5.4 - Cross Site Scripting (Stored)
A cross-site scripting XSS vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. id: CVE-2022-45038 info: name: WBCE CMS v1.5.4 - Cross Site Scripting Stored author:...
Rukovoditel <= 3.2.1 - Cross Site Scripting
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the Add Announcement function at /index.php?module=helppages/pages&entitiesid=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...
Duplicate Page WordPress - Stored Cross-Site Scripting
Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...
Payara Server - Cross-Site Scripting
Payara Server versions 4.1.2.191.54, 5.83.0, 6.34.0, and 7.2026.1 contain a stored XSS vulnerability caused by improper input sanitization in the REST Management Interface. This allows attackers to mislead administrators into changing the admin password via a URL payload; however, the exploit...
Popup4Phone <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting
Popup4Phone WordPress plugin through 1.3.2 contains a reflected cross-site scripting caused by unsanitized parameters, letting unauthenticated users execute scripts in admin browsers, exploit requires sending crafted requests. id: CVE-2024-3231 info: name: Popup4Phone = 1.3.2 - Unauthenticated...
LiteSpeed Cache <= 6.5.0.2 - Stored XSS
LiteSpeed Technologies LiteSpeed Cache versions up to 6.5.0.2 contain a stored cross-site scripting caused by improper input neutralization during web page generation, letting attackers execute malicious scripts in victim browsers, exploit requires storing malicious input. id: CVE-2024-47374 info...