EUVD-2020-31236

NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that...

EUVD-2026-30610

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. An admi...

CVE-2026-39428

CubeCart CVE-2026-39428: A Stored XSS vulnerability affected CubeCart v6.x prior to 6.6.0, where an admin could inject JavaScript into product fields during creation/modification. Payloads stored in the database could execute when users (customers or admins) view affected product pages, potential...

CVE-2026-37503

Cross-Site Scripting XSS in V2Board thru 1.7.4. The customhtml field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling...

CVE-2026-37503

CVE-2026-37503 affects V2Board up to version 1.7.4. The vulnerability arises from rendering the custom_html field in theme configuration with unescaped Blade output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API, which is then exe...

📄 Coaching Management System 1.0 Cross Site Scripting

Coaching Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Stored Cross-Site Scripting XSS in Coaching Management System Leads to Account Takeover --- Product Coaching Management System in PHP Code-Projects.org...

CVE-2026-4918

IBM Guardium Data Protection 12.1 is vulnerable to stored cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

Exploit for CVE-2020-24586

Fracture FragAttacks WiFi Penetration Framework CVE-202...

GHSA-X8HC-FQV3-7GWF Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity

Summary According to SignalK's security documentation, when a server is first initialized without security enabled, the /skServer/enableSecurity endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design. However, the critical...

CVE-2026-3353

The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2026-20639

Name of the Vulnerable Software and Affected Versions Slidorion versions up to and including 1.0.2 Description The Slidorion plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated attackers...

CVE-2026-24325 Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console)

SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting XSS vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.Th...

CVE-2026-24325

SAP BusinessObjects Enterprise contains a Stored XSS flaw due to insufficient encoding of user-controlled inputs. An admin user could inject JavaScript that executes when visiting the affected page. The issue has a CVSS v3.1 base score of 4.8 (Medium) with Network access, Low confidentiality and ...

CVE-2023-53977

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the forum title field when...

CVE-2023-53936

Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing...

CVE-2024-58291 Flatboard 3.2 Authenticated Stored Cross-Site Scripting via Forum Information Field

Flatboard 3.2 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts in forum information fields. Attackers can insert JavaScript payloads that execute when other users view the forum, potentially stealing session cookies and...

CVE-2025-12125

The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-9980

QuickCMS is vulnerable to multiple Stored XSS in page editor functionality pages-form. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the...

CVE-2025-61998

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the...

EUVD-2014-2131

Malware in sbrugna...