Lucene search
+L

36833 matches found

Vulnrichment
Vulnrichment
added 3 hours ago3 views

CVE-2026-48015 Shopware: Stored XSS via SVG file upload — no SVG sanitization

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowedextensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from...

4.9CVSS5.5AI score0.00039EPSS
Exploits0References5
NVD
NVD
added 3 hours ago6 views

CVE-2026-9588

A stored cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997 within the voicemail notification template functionality. The submitmodifyvoicemailtemplate endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious...

7CVSS
Exploits0References2
NVD
NVD
added 4 hours ago6 views

CVE-2026-58148

The Joomla extension ChronoForms is vulnerable to an unauthenticated stored XSS vulnerability...

8.7CVSS
Exploits0References1
Vulnrichment
Vulnrichment
added 5 hours ago3 views

CVE-2026-9588 Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal

A stored cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997 within the voicemail notification template functionality. The submitmodifyvoicemailtemplate endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious...

7CVSS4.9AI score
Exploits0References2
EUVD
EUVD
added 5 hours ago5 views

EUVD-2026-45207

A stored cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997 within the voicemail notification template functionality. The submitmodifyvoicemailtemplate endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious...

7CVSS4.8AI score
Exploits0References2
NVD
NVD
added 13 hours ago5 views

CVE-2026-10525

The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting...

6.1CVSS
Exploits0References1
CVE
CVE
added 15 hours ago10 views

CVE-2026-10525

The CVE-2026-10525 entry concerns the NEX-Forms WordPress plugin prior to version 9.2.3. The root cause is insufficient sanitization and escaping of submitted form data before storing it and when rendering it in the admin dashboard. This results in a Stored XSS vulnerability that could allow unau...

6.1CVSS6.1AI score
Exploits0References1
Nuclei
Nuclei
added 16 hours ago8 views

WPBot <= 8.4.9 - Cross-Site Scripting

WPBot = 8.4.9 is vulnerable to stored cross-site scripting via the conversation parameter in the qcldwbchatbotconversationsave AJAX action. The AJAX nonce qcsecretbotnonceval123qc is publicly emitted on every frontend page via wplocalizescript under the ajaxnonce key, making it freely obtainable ...

7.2CVSS4.8AI score0.00524EPSS
Exploits0References2
Nuclei
Nuclei
added 16 hours ago21 views

tagDiv Composer < 4.2 - Stored Cross-Site Scripting

tagDiv Composer plugin versions before 4.2 for WordPress are vulnerable to unauthenticated stored XSS via the /wp-json/tdw/savecss endpoint. An attacker can inject malicious JavaScript code through the compiledcss parameter, which gets stored and executed when the CSS is loaded. id: CVE-2023-3169...

6.1CVSS7AI score0.01582EPSS
Exploits2References2
Nuclei
Nuclei
added 16 hours ago24 views

The Events Calendar < 6.4.0.1 - Cross-site Scripting

The Events Calendar WordPress plugin 6.4.0.1 contains a stored XSS caused by improper sanitization of user-submitted content when rendering views via AJAX, letting attackers execute scripts in the context of the affected site. Exploitation requires user interaction. id: CVE-2024-4180 info: name:...

9.1CVSS5.2AI score0.01834EPSS
Exploits2References3
Nuclei
Nuclei
added 16 hours ago54 views

Limit Login Attempts WordPress - Stored Cross-site Scripting

Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...

6.1CVSS5.9AI score0.01595EPSS
Exploits2References2
Nuclei
Nuclei
added 16 hours ago83 views

Duplicate Page WordPress - Stored Cross-Site Scripting

Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...

4.8CVSS4.8AI score0.0087EPSS
Exploits2References3
Nuclei
Nuclei
added 16 hours ago138 views

Limit Login Attempts - Stored Cross-Site Scripting

Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...

4.8CVSS4.8AI score0.00848EPSS
Exploits2References1
Nuclei
Nuclei
added 16 hours ago64 views

Microweber <1.2.12 - Stored Cross-Site Scripting

Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. id: CVE-2022-0963 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microweber prior to 1.2.12 contains a stored...

5.7CVSS5.3AI score0.01877EPSS
Exploits1References5
Nuclei
Nuclei
added 16 hours ago81 views

ChurchCRM 4.5.3 - Cross-Site Scripting

A stored Cross-site scripting XSS vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. id: CVE-2023-26843 info: name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: | A stored Cross-site scripti...

5.4CVSS5.8AI score0.0142EPSS
Exploits1References5
EUVD
EUVD
added 17 hours ago5 views

EUVD-2026-45136

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the savefilter AJAX handler storing the raw $POST'filter' array into a WordPress option via updateoption without any capability check, nonce...

6.4CVSS6.2AI score
Exploits0References2
EUVD
EUVD
added 18 hours ago6 views

EUVD-2026-45130

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS6.2AI score
Exploits0References8
NVD
NVD
added 18 hours ago5 views

CVE-2026-2594

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with...

6.4CVSS
Exploits0References3
CVE
CVE
added 19 hours ago13 views

CVE-2026-2594

The CVE-2026-2594 entry concerns the WordPress plugin Smart Custom Fields. A stored cross-site scripting (XSS) flaw affects versions up to and including 5.0.7, caused by insufficient input sanitization and output escaping for uploaded image attachment titles. This enables authenticated attackers ...

6.4CVSS6.2AI score
Exploits0References3
Nuclei
Nuclei
added yesterday127 views

LiteSpeed Cache <= 5.7 - Unauthenticated Stored XSS

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache- from n/a through 5.7. id: CVE-2023-40000 info: name: LiteSpeed Cache = 5.7 - Unauthenticated Stored XSS...

8.3CVSS6.8AI score0.54872EPSS
Exploits5References3
Rows per page
Query Builder