175015 matches found
JustRows WordPress - Cross-Site Scripting
JustRows free WordPress plugin v0.2 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...
Site Reviews < 7.2.5 - Unauthenticated Stored XSS
Site Reviews WordPress plugin before 7.2.5 contains a stored cross-site scripting caused by improper sanitization and escaping of review fields, letting unauthenticated users execute malicious scripts, exploit requires no authentication. id: CVE-2025-1232 info: name: Site Reviews 7.2.5 -...
BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting
BIBLIOsoft BIBLIOpac 2008 contains a cross-site scripting vulnerability via the db or action parameter to bin/wxis.exe/bibliopac/, which allows a remote attacker to inject arbitrary web script or HTML. id: CVE-2018-16139 info: name: BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting author:...
Fedora 44 : roundcubemail (2026-517daa8d64)
The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-517daa8d64 advisory. Release 1.7.2 - Add HEAD request handler to the static.php - Fix so the oauthpasswordclaim claim is retrieved via token or userinfo request 9631 - F...
CVE-2026-44760
The CVE-2026-44760 entry concerns a Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP-based applications that use the Business Server Pages framework. The vulnerability arises from unsanitized input being reflected in the HTTP response, enabling an attacker to inject and execute...
CVE-2026-58500 MCP Appium: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector...
CVE-2026-58228 Scheme validation bypass in Phoenix.LiveView.Utils leads to XSS via <.link>
Cross-site scripting vulnerability in phoenixframework phoenixliveview allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session. The Phoenix.LiveView.Utils.validdestination!/2 and Phoenix.LiveView.Utils.validlivenavigationdestination!/2 functions in...
EUVD-2024-24347
GeoNode: Stored XSS to full account takeover...
CVE-2026-57167 PeerTube: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence...
CVE-2026-55877 Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses
Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the uxicon Twig function is marked issafe='html' and Icon::toHtml inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested...
CVE-2026-55877
Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the uxicon Twig function is marked issafe='html' and Icon::toHtml inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested...
CVE-2026-59923 Mistune: XSS via percent-encoded javascript URI bypass in safe_url()
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safeurl does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version...
WordPress Loops & Logic plugin <= 4.2.3 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by ParkHyunWoo in WordPress Plugin Loops & Logic versions = 4.2.3...
CVE-2026-48949
Lack of validation leads to an XSS vulnerability in the MFA management views...
CVE-2026-48950
Lack of escaping leads to an XSS vulnerability in the file management view of comtemplates...
CVE-2026-48949
Lack of validation leads to an XSS vulnerability in the MFA management views...
CVE-2026-48952
Lack of escaping leads to an XSS vulnerability in the update list view of cominstaller...
CVE-2026-48952 Joomla! Core - [20260706] - XSS in com_installer
Lack of escaping leads to an XSS vulnerability in the update list view of cominstaller...
CVE-2026-48950
CVE-2026-48950 affects Joomla! Core via the file management view in com_templates. The root cause is lack of escaping, enabling an XSS vulnerability. Multiple sources (NVD, CVE lists, and Joomla security advisory) confirm an XSS in the core component with the vulnerable entry labeled for core/com...
CVE-2026-48950 Joomla! Core - [20260704] - XSS in com_templates
Lack of escaping leads to an XSS vulnerability in the file management view of comtemplates...