CVE-2026-48167

CVE-2026-48167 (Filament) affects the ImageColumn and ImageEntry components of Filament (Laravel ecosystem). From versions 4.0.0 through 4.11.5 and 5.6.5, these components render raw database values without HTML escaping, enabling stored XSS if unvalidated data is passed. The vulnerability impact...

CVE-2026-44311

CVE-2026-44311 (Fabric.js) describes an XSS in which the color value in colorStops of a fabric.Gradient is not properly escaped when serializing to SVG via toSVG(), allowing injected HTML/SVG to be executed if the SVG is rendered into the DOM. Documents confirm the issue affects Fabric.js prior t...

CVE-2026-44727

Jupyter Server (prior to 2.20) is affected by a stored XSS in the nbconvert HTML export path. The nbconvert HTTP handlers NbconvertFileHandler and NbconvertPostHandler render notebook HTML under the Jupyter origin without a sandbox directive in Content-Security-Policy, and NbconvertHTMLExporter’s...

CVE-2026-50555

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino wh...

CVE-2026-50146

CVE-2026-50146 affects the Astro web framework prior to 6.3.3. When a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without escaping the slot name, allowing an attacker to break out of the attribute context and inject arbitrary HTML, re...

CVE-2026-50557

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22, an issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute...

EUVD-2026-38291

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino wh...

CVE-2026-11372

IBM TRIRIGA Application Platform versions 5.0.2–5.0.3 are affected by a cross-site scripting (XSS) vulnerability in the Web UI that an authenticated user can abuse to embed arbitrary JavaScript, potentially leading to credentials disclosure within a trusted session. The issue is tracked as CVE-20...

EUVD-2026-38243

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent runs on the raw template string before getTemplateSrv.replace substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via...

CVE-2026-9029

CVE-2026-9029 affects Grafana’s Geomap panel (XYZ tile layer) where sanitizeTextPanelContent() runs on the raw template string before variable substitution via getTemplateSrv().replace(), allowing an Editor to inject an XSS payload into a textbox variable default value that executes for all dashb...

CVE-2023-45795 Pilz: XSS vulnerability in Pilz PASvisu and PMI v8xx

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device...

CVE-2025-62198

CVE-2025-62198 affects Apache Atlas versions 2.4.0 and earlier. The issue is a stored XSS on the Create Entity page that can be triggered by an authenticated user. Affected software is clearly specified as Apache Atlas; the root cause is a stored XSS in the Create Entity flow. The recommended mit...

CVE-2025-62198 Apache Atlas: Stored XSS in Create Entity page

An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2.5.0, which fixes the issue...

CVE-2026-6858

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator...

CVE-2026-6858

The CVE-2026-6858 vulnerability affects the WordPress plugin Transbank Webpay (versions before 1.14.0). It arises from logs not being sanitized/escaped for display, allowing unauthenticated users to perform Stored XSS against logged-in administrators. Remediation: upgrade to version 1.14.0 or lat...

CVE-2026-6858 Transbank Webpay < 1.14.0 - Unauthenticated Stored XSS

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator...

Novius OS 5.0.1-elche - Open Redirect

Novius OS 5.0.1 Elche allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login. id: CVE-2015-5354 info: name: Novius OS 5.0.1-elche - Open Redirect author: 0xAkoko severity: medium description: Novius OS...

NewStatPress <0.9.9 - Cross-Site Scripting

WordPress NewStatPress plugin before 0.9.9 contains a cross-site scripting vulnerability in includes/nspsearch.php. The plugin allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nspsearch page to wp-admin/admin.php. id: CVE-2015-4063 info: nam...

Shortcode Ninja <= 1.4 - Cross-Site Scripting

A cross-site scripting vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter. id: CVE-2014-4550 info: name: Shortcode Ninja = 1.4 - Cross-Site Scripting...

Safe Editor Plugin < 1.2 - CSS/JS-injection

The safe-editor plugin before 1.2 for WordPress has no sesave authentication, with resultant XSS. id: CVE-2016-10976 info: name: Safe Editor Plugin 1.2 - CSS/JS-injection author: Splint3r7 severity: medium description: | The safe-editor plugin before 1.2 for WordPress has no sesave authentication...