Lucene search
K

8 matches found

NVD
NVD
added 2026/06/21 2:16 p.m.12 views

CVE-2026-56393

Craft CMS 4.x = 4.0.0-RC1, = 5.0.0-RC1, 5.9.0-beta.1 contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization e.g., via the checkbox.twig template, which used label|raw . An authenticated administrator with...

4.8CVSS0.00183EPSS
Exploits0References4
CVE
CVE
added 2026/06/21 1:27 p.m.15 views

CVE-2026-56393

Craft CMS 4.x (>= 4.0.0-RC1, = 5.0.0-RC1,

4.8CVSS5.9AI score0.00183EPSS
Exploits0References4
NVD
NVD
added 2026/06/10 6:17 p.m.16 views

CVE-2026-46642

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer which works correctly on the rendering path but in...

6.1CVSS0.00221EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/15 10:26 p.m.22 views

CVE-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

5.3CVSS0.0024EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/12 10:55 p.m.3 views

CVE-2026-26188 Solspace Freeform plugin affected by Stored Cross-Site Scripting (XSS) in Freeform Craft Plugin CP UI (builder/integrations)

Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are...

5.1CVSS5.7AI score0.00253EPSS
Exploits1References3
Snyk
Snyk
added 2025/08/14 3:30 p.m.4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the tooltip in the chart visualization. An attacker can execute arbitrary scripts in the context of a victim's browser by injecting a malicious payload into a column's label, which is then rendered without...

5.4CVSS5.7AI score0.00617EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/22 7:22 p.m.8 views

CVE-2021-24608

The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

4.8CVSS5.9AI score0.00654EPSS
Exploits2References1
OSV
OSV
added 2021/10/25 2:15 p.m.5 views

CVE-2021-24608

The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

4.8CVSS5.8AI score0.00654EPSS
Exploits2References2
Rows per page
Query Builder