Lucene search
+L

142 matches found

github
github
added 2026/04/14 10:33 p.m.10 views

XWiki has Reflected Cross-Site Scripting (XSS) in page history compare

Impact A reflected cross-site scripting vulnerability XSS in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of...

6.5CVSS5.7AI score0.00549EPSS
Exploits0References5Affected Software1
redhatcve
redhatcve
added 2026/04/05 4:58 p.m.9 views

CVE-2026-2936

The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagetitle' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.2CVSS6.1AI score0.00257EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/03/31 8:58 a.m.1 views

CVE-2026-3107

Stored Cross-Site Scripting XSS in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, allowing malicio...

9.3CVSS6.2AI score0.00134EPSS
Exploits0References2
nvd
nvd
added 2026/03/11 6:17 a.m.7 views

CVE-2026-2466

The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS0.00145EPSS
Exploits0References1
cve
cve
added 2026/02/19 6:38 p.m.22 views

CVE-2026-27473

SPIP

6.4CVSS5.4AI score0.0026EPSS
Exploits0References3Affected Software1
euvd
euvd
added 2026/02/03 6:7 p.m.5 views

EUVD-2026-5205

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

6.1CVSS5.5AI score0.00261EPSS
Exploits1References4
cve
cve
added 2026/02/03 6:6 p.m.20 views

CVE-2026-25486

CVE-2026-25486 : Craft Commerce (Craft CMS) versions 5.0.0–5.5.1 contain a stored XSS in the Shipping Methods Name field in Store Management, allowing an attacker with store settings/shipping permissions to execute malicious JavaScript in an administrator’s browser. The issue is fixed in version ...

6.1CVSS5.4AI score0.00253EPSS
Exploits1References3Affected Software1
github
github
added 2026/02/02 6:17 p.m.10 views

FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View

Summary A Stored Cross-Site Scripting XSS vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the histo...

9CVSS6.2AI score0.00385EPSS
Exploits1References3Affected Software1
osv
osv
added 2026/02/02 6:17 p.m.6 views

GHSA-4V7V-7V7R-3R5H FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View

Summary A Stored Cross-Site Scripting XSS vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the histo...

8CVSS6.1AI score0.00385EPSS
Exploits1References3
vulnrichment
vulnrichment
added 2026/01/26 5:40 p.m.2 views

CVE-2026-24433 Tenda W30E V2 Stored XSS via Username Field

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users...

5.1CVSS5.8AI score0.00184EPSS
Exploits0References2
cve
cve
added 2026/01/20 8:48 p.m.16 views

CVE-2026-21642

Revive Adserver is affected by CVE-2026-21642: a reflected XSS in banner-acl.php and channel-acl.php. An attacker can craft a URL containing an HTML payload; if a logged-in administrator visits the URL, the payload may be reflected to the browser and execute scripts. The available documents (NVD,...

6.1CVSS5.5AI score0.00163EPSS
Exploits0References1Affected Software1
euvd
euvd
added 2026/01/14 5:28 a.m.5 views

EUVD-2026-2538

The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible fo...

4.4CVSS4.7AI score0.00237EPSS
Exploits0References4
cve
cve
added 2026/01/05 5:44 p.m.13 views

CVE-2025-59158

CVE-2025-59158 affects Coolify, a self-hosted application management platform. Version scope: vulnerable when using versions up to and including v4.0.0-beta.420.6; a stored cross-site scripting (XSS) flaw exists in the project creation workflow. An authenticated user with low privileges (e.g., me...

9.4CVSS5.2AI score0.00474EPSS
Exploits1References1Affected Software1
cvelist
cvelist
added 2026/01/02 6:0 a.m.31 views

CVE-2025-13456 Shopbuilder < 3.2.2 - Reflected XSS

The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

0.00198EPSS
Exploits0References1
euvd
euvd
added 2025/12/29 10:12 p.m.4 views

EUVD-2025-205601

phpMyFAQ has Stored XSS in user list via admin-managed displayname...

5.4CVSS5.6AI score0.0023EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2025/12/29 12:0 a.m.5 views

PT-2025-53729

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions 4.0.14 through 4.0.15 Description phpMyFAQ is a web application for creating FAQs. Versions 4.0.14 and 4.0.15 contain a stored cross-site scripting XSS issue. An attacker can inject and execute arbitrary JavaScript code in an...

6.1CVSS5.9AI score0.0023EPSS
Exploits0References8
cvelist
cvelist
added 2025/12/17 10:44 p.m.24 views

CVE-2023-53927 PHPJabbers Simple CMS 5.0 Stored Cross-Site Scripting via Section Creation

PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators view the sections,...

5.4CVSS0.00233EPSS
Exploits1References3
redhatcve
redhatcve
added 2025/12/16 6:56 a.m.13 views

CVE-2025-12684

The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins...

7.1CVSS6.4AI score0.00147EPSS
Exploits0References1
nvd
nvd
added 2025/12/15 6:15 a.m.3 views

CVE-2025-12684

The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins...

7.1CVSS0.00147EPSS
Exploits0References1
cve
cve
added 2025/12/15 6:0 a.m.19 views

CVE-2025-12684

CVE-2025-12684 : The WordPress Plugin URL Shortify is vulnerable in versions before 1.11.3 due to failure to sanitize and escape a parameter before reflecting it on the page, causing a reflected cross-site scripting (XSS). Exploitation could target high-privilege users (e.g., admins). Impact per ...

7.1CVSS6AI score0.00147EPSS
Exploits0References1
Rows per page
Query Builder