Lucene search
K

1183 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/12 7:48 a.m.6 views

CVE-2026-5715

The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

6.4CVSS6AI score0.00187EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/12 7:48 a.m.69 views

CVE-2026-4920 Next Date <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute

The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

6.4CVSS0.00187EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/12 7:48 a.m.8 views

CVE-2026-6913 Shortcodely <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'widget_area' Shortcode Attribute

The Shortcodely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'widgetarea' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...

6.4CVSS6AI score0.00201EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/05/11 6:35 p.m.8 views

CVE-2026-45025 WeGIA: Stored XSS in html/atendido/etapa_processo.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript into the "Etapas de um Processo" html/atendido/etapaprocesso.php page, which is executed when user access the...

6.8CVSS5.8AI score0.0023EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/10 8:20 p.m.13 views

CVE-2026-3007

Successful exploitation of the stored cross-site scripting XSS vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature...

5.4CVSS5.9AI score0.00173EPSS
Exploits0References1
NVD
NVD
added 2026/05/10 1:16 p.m.10 views

CVE-2021-47922

Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of...

6.4CVSS0.00243EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:43 p.m.8 views

CVE-2021-47922

Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of...

6.4CVSS5.7AI score0.00243EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/08 9:13 p.m.17 views

CVE-2026-42192

Plunk: Stored XSS in campaign view. Affected: Plunk open-source email platform (AWS SES-based). Vulnerable component: campaign management, where email body content created by authenticated project members is stored and later rendered in the admin dashboard via dangerouslySetInnerHTML without HTML...

5.4CVSS5.6AI score0.00176EPSS
Exploits0References2
CVE
CVE
added 2026/05/08 9:26 a.m.21 views

CVE-2026-7650

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) flaw in the e2pdf-download shortcode’s id attribute. Versions up to and including 1.32.17 are vulnerable due to insufficient input sanitization and output escaping of the shortcode at...

6.4CVSS6AI score0.00244EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/07 6:43 p.m.39 views

CVE-2026-41653 BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File Exfiltration

BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8...

7CVSS0.00356EPSS
Exploits0References2
NVD
NVD
added 2026/05/07 4:16 p.m.20 views

CVE-2026-36388

A Cross-Site Scripting XSS vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker patient to inject a malicious script payload into the User Name parameter, which is stored in the application and...

5.4CVSS0.00133EPSS
Exploits0References1
NVD
NVD
added 2026/05/06 8:16 p.m.32 views

CVE-2026-40171

In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with...

8.4CVSS0.00476EPSS
Exploits0References1
NVD
NVD
added 2026/05/06 8:16 a.m.11 views

CVE-2026-7448

Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage...

0.00122EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/05 9:53 p.m.8 views

Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display

Impact In the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics e.g. via a...

6.1CVSS6AI score0.00182EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/05/05 2:26 a.m.68 views

CVE-2026-6702 Publish 2 Ping.fm <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpPingPingKey' Parameter

The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers t...

6.1CVSS0.0012EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/05 2:26 a.m.31 views

CVE-2026-5247 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the futureaction shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The...

5.5CVSS0.00274EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/05 2:26 a.m.6 views

CVE-2026-6701 addfreespace <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page

The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scrip...

4.3CVSS5.7AI score0.00158EPSS
Exploits0References11
Patchstack
Patchstack
added 2026/05/04 2:7 p.m.14 views

WordPress addfreespace plugin <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin addfreespace versions = 0.1.3...

4.3CVSS5.8AI score0.00158EPSS
Exploits0References1Affected Software1
GithubExploit
GithubExploit
added 2026/05/03 8:46 p.m.95 views

dvwa-xss

Cross-Site Scripting XSS Attack & Analysis — DVWA A hands-o...

5.9AI score
Exploits0
Cvelist
Cvelist
added 2026/05/02 5:29 a.m.37 views

CVE-2026-5109 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Product Option

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...

7.2CVSS0.00245EPSS
Exploits0References2
Rows per page
Query Builder