142 matches found
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
Impact A reflected cross-site scripting vulnerability XSS in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of...
CVE-2026-2936
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagetitle' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
CVE-2026-3107
Stored Cross-Site Scripting XSS in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, allowing malicio...
CVE-2026-2466
The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CVE-2026-27473
SPIP
EUVD-2026-5205
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...
CVE-2026-25486
CVE-2026-25486 : Craft Commerce (Craft CMS) versions 5.0.0–5.5.1 contain a stored XSS in the Shipping Methods Name field in Store Management, allowing an attacker with store settings/shipping permissions to execute malicious JavaScript in an administrator’s browser. The issue is fixed in version ...
FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
Summary A Stored Cross-Site Scripting XSS vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the histo...
GHSA-4V7V-7V7R-3R5H FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
Summary A Stored Cross-Site Scripting XSS vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the histo...
CVE-2026-24433 Tenda W30E V2 Stored XSS via Username Field
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users...
CVE-2026-21642
Revive Adserver is affected by CVE-2026-21642: a reflected XSS in banner-acl.php and channel-acl.php. An attacker can craft a URL containing an HTML payload; if a logged-in administrator visits the URL, the payload may be reflected to the browser and execute scripts. The available documents (NVD,...
EUVD-2026-2538
The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible fo...
CVE-2025-59158
CVE-2025-59158 affects Coolify, a self-hosted application management platform. Version scope: vulnerable when using versions up to and including v4.0.0-beta.420.6; a stored cross-site scripting (XSS) flaw exists in the project creation workflow. An authenticated user with low privileges (e.g., me...
CVE-2025-13456 Shopbuilder < 3.2.2 - Reflected XSS
The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
EUVD-2025-205601
phpMyFAQ has Stored XSS in user list via admin-managed displayname...
PT-2025-53729
Name of the Vulnerable Software and Affected Versions phpMyFAQ versions 4.0.14 through 4.0.15 Description phpMyFAQ is a web application for creating FAQs. Versions 4.0.14 and 4.0.15 contain a stored cross-site scripting XSS issue. An attacker can inject and execute arbitrary JavaScript code in an...
CVE-2023-53927 PHPJabbers Simple CMS 5.0 Stored Cross-Site Scripting via Section Creation
PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators view the sections,...
CVE-2025-12684
The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins...
CVE-2025-12684
The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins...
CVE-2025-12684
CVE-2025-12684 : The WordPress Plugin URL Shortify is vulnerable in versions before 1.11.3 due to failure to sanitize and escape a parameter before reflecting it on the page, causing a reflected cross-site scripting (XSS). Exploitation could target high-privilege users (e.g., admins). Impact per ...