CVE-2026-32139

DataEase is an open-source data visualization tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. Backend validation only checks that the XML is parseable and that the root node is svg, and does not sanitize active content (e.g., onload/onerror event ha...

CVE-2026-2687 Reading progressbar < 1.3.1 - Admin+ Stored XSS

The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2026-32124

OpenEMR’s dynamic code picker (AJAX) endpoint returns code_text without HTML escaping prior to version 8.0.0.1, allowing stored XSS via a malicious description entered by an admin or a user with code management rights. The vulnerability affects the rendering in front-end components (e.g., DataTab...

CVE-2026-2918 Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the haconditionupdate AJAX action. This is due to the validatereqeust method using currentusercan'editposts', $templateid instead of...

CVE-2026-2324 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reloadpreview function. This makes it possible for...

CVE-2026-27260

Rejected reason: This CVE ID was issued in error by its CVE Numbering Authority...

CVE-2026-27254 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

EUVD-2026-10485

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the nxsfbembed shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the snapFB post meta value. This makes it...

CVE-2026-1261

MetForm Pro

PT-2026-24417

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any...

EUVD-2026-10134

The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'endpointlogin' parameter of the infomaniakconnectgenericauthurl shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes...

CVE-2026-1569

The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wueen-blocket shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1825 Show YouTube video <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1574 MyQtip – easy qTip2 <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's myqtip shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1805 DA Media GigList <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute

The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damediagiglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-30821 Flowise: Arbitrary File Upload via MIME Spoofing

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELISTURLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on th...

CVE-2026-1902 Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute

The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2026-23784

Name of the Vulnerable Software and Affected Versions XikeStor SKS8310-8X Network Switch versions prior to 1.04.B07 Description The XikeStor SKS8310-8X Network Switch firmware contains a stored cross-site scripting issue. Authenticated attackers can inject arbitrary script content through the...

Flowise has Arbitrary File Upload via MIME Spoofing

Vulnerability Description --- Vulnerability Overview - The /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELISTURLS, allowing unauthenticated access to the file upload API. - While the server validates uploads based on the MIME types defined in...

CVE-2025-59542

Chamilo LMS prior to version 1.11.34 is affected by a stored XSS vulnerability in the course learning path Settings field. A low-privileged user (e.g., trainer) can inject JavaScript that executes in other users’ contexts (including admins), enabling exfiltration of session cookies or tokens and ...