CVE-2026-25156 HotCRP vulnerable to stored XSS via comment attachments

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. The intended behavior was for only text/plain, application/pdf,...

CVE-2026-1295

The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for...

CVE-2025-13979

Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2...

CVE-2026-24490

MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The...

CVE-2020-36954

CVE-2020-36954 affects Xeroneit Library Management System 3.1. The vulnerability is a stored cross-site scripting (XSS) in the Book Category feature, where an attacker can inject a payload into the Category Name field and have arbitrary JavaScript execute when the page loads. The exploitation hin...

CVE-2020-36954 Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS

Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded...

CVE-2025-14985

CVE-2025-14985 - Alpha Blocks (WordPress)

CVE-2025-12836

CVE-2025-12836 — VK Google Job Posting Manager (WordPress) is a stored cross-site scripting vulnerability in the VK Google Job Posting Manager plugin for WordPress. The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the Job Description field, ...

WordPress plugin UX Flat security vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. There is a...

GHSA-JP3Q-WWP3-PWV9 Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue

Summary An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to store...

PT-2026-4209

Cross-Site Request Forgery CSRF vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through = 1.3...

Litespeed Technologie OpenLiteSpeed Cross-Site Script Vulnerability

Litespeed Technologie OpenLiteSpeed is an open-source web server developed by Litespeed Technologie. Version 1.7.9 of Litespeed Technologie OpenLiteSpeed contains a cross-site scripting vulnerability. This vulnerability stems from a stored-cross-site scripting vulnerability in the dashboard’s Not...

CVE-2026-1181 Altium 365 Over-Permissive CORS Configuration Allows Credentialed Cross-Origin Workspace Access

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing CORS policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could...

CVE-2026-23525

1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting XSS vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data...

CVE-2026-0695

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected...

CVE-2026-0949

CVE-2026-0949 describes a stored XSS in PEM versions

CVE-2026-0695

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected...

CVE-2021-47779

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the...

ConnectWise PSA security vulnerabilities

ConnectWise PSA is a professional service automation software developed by ConnectWise in the United States. Versions of ConnectWise PSA prior to 2026.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of output encoding for Time Entry notes in the Time Entry Audit...

CVE-2025-37185 Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting XSS attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary...