Lucene search
K

136 matches found

Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.5 views

PT-2026-24417

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any...

8.6CVSS6AI score0.00204EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/07 1:21 a.m.29 views

CVE-2026-1902 Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute

The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00197EPSS
Exploits0References4
CVE
CVE
added 2026/03/02 10:23 p.m.21 views

CVE-2026-2583

The CVE describes a Stored Cross-Site Scripting issue in the Blocksy theme for WordPress, affecting versions up to 2.1.30. The vulnerability arises from insufficient input sanitization and output escaping in the blocksy_meta fields, allowing authenticated attackers with Contributor-level access a...

6.4CVSS6AI score0.00194EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/27 9:23 a.m.8 views

CVE-2025-14142 Electric Enquiries <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button' Shortcode Attribute

The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS6AI score0.0024EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/20 2:23 a.m.29 views

CVE-2026-2384 Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's vcquizmaker shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00227EPSS
Exploits0References3
NVD
NVD
added 2026/02/19 6:24 p.m.7 views

CVE-2026-23613

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the URI DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXBURIs parameter to...

5.4CVSS0.00163EPSS
Exploits0References2
NVD
NVD
added 2026/02/18 11:16 p.m.10 views

CVE-2026-24745

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Althou...

7.5CVSS0.0022EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/02/18 8:59 p.m.26 views

CVE-2019-25399 IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi

IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute...

6.4CVSS0.00232EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/02/18 9:25 a.m.38 views

CVE-2025-11185 Complianz | GDPR/CCPA Cookie Consent <= 7.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS0.00245EPSS
Exploits0References3
NVD
NVD
added 2026/02/14 9:16 a.m.7 views

CVE-2026-0550

The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycredloadcoupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00152EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/12 12:31 p.m.27 views

CVE-2026-1316 Customer Reviews for WooCommerce <= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'media.href' parameter in all versions up to, and including, 5.97.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers if...

7.2CVSS0.00257EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/04 12:0 a.m.9 views

PT-2026-6021

Name of the Vulnerable Software and Affected Versions WP Content Permission versions prior to 1.3 Description The WP Content Permission plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping in the ohmem-message...

4.4CVSS5.7AI score0.00264EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/02/02 11:0 p.m.7 views

Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. Proof of Concept Requirments -...

6.1CVSS5.7AI score0.00283EPSS
Exploits1References6Affected Software1
CVE
CVE
added 2026/01/26 5:42 p.m.9 views

CVE-2020-36954

CVE-2020-36954 affects Xeroneit Library Management System 3.1. The vulnerability is a stored cross-site scripting (XSS) in the Book Category feature, where an attacker can inject a payload into the Category Name field and have arbitrary JavaScript execute when the page loads. The exploitation hin...

6.4CVSS6.1AI score0.0031EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/01/19 12:0 p.m.25 views

CVE-2026-1181 Altium 365 Over-Permissive CORS Configuration Allows Credentialed Cross-Origin Workspace Access

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing CORS policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could...

9CVSS0.00308EPSS
Exploits0References1
CVE
CVE
added 2025/12/18 7:53 p.m.13 views

CVE-2022-50683

CVE-2022-50683 concerns a stored cross-site scripting vulnerability in Kentico Xperience, arising from unvalidated form redirect URL configuration. The issue allows injection of malicious scripts that execute in users’ browsers in the context of the affected platform. Connected sources (CNVD, EUV...

5.4CVSS5.9AI score0.00138EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2025/12/17 9:53 p.m.14 views

CVE-2025-68275

ChurchCRM prior to version 6.5.3 contains a stored cross-site scripting vulnerability on the View Active People, View Inactive People, and View All People pages. The root cause is lack of effective filtering and escaping of user-supplied data on these listings, allowing an attacker to inject scri...

9.2CVSS5.7AI score0.0017EPSS
Exploits1References1Affected Software1
RedhatCVE
RedhatCVE
added 2025/12/11 7:1 p.m.5 views

CVE-2025-64613

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

5.4CVSS5.6AI score0.00189EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/11 7:1 p.m.8 views

CVE-2025-64861

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

5.4CVSS5.5AI score0.00173EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/10 9:31 p.m.5 views

EUVD-2025-202505

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

5.4CVSS5AI score0.00214EPSS
Exploits0References2
Rows per page
Query Builder