Lucene search
K

611 matches found

Snyk
Snyk
added 2026/03/18 12:58 p.m.6 views

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the fullName field in the revision/draft context menu, which is rendered as raw HTML due to improper handling with Template::raw and string interpolation. An...

6.4CVSS5.8AI score0.00243EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.9 views

PT-2026-26084

MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that...

8.1CVSS5.8AI score0.00124EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/16 6:32 p.m.3 views

EUVD-2026-12462

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the pingipaddr parameter t...

5.1CVSS5.9AI score0.00155EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.4 views

PT-2026-25783

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping ipaddr parameter ...

5.1CVSS5.9AI score0.00155EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/03/15 6:9 p.m.160 views

Exploit for Cross-site Scripting in Invoiceplane

CVE-2026-25594 — Stored XSS via Family Name in InvoicePlane 1...

4.8CVSS6.2AI score0.00214EPSS
Exploits2
Github Security Blog
Github Security Blog
added 2026/03/13 3:48 p.m.9 views

OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`

Summary In affected versions of openclaw, a gateway caller with operator.write could issue agent requests containing /new or /reset and reach the same reset path used by the admin-only sessions.reset RPC. Impact On gateways where a caller is intentionally granted operator.write but not...

5.8AI score
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.4 views

PT-2026-24948

A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.6CVSS5.8AI score0.00286EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/08 7:56 a.m.4 views

CVE-2026-2433

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener...

6.1CVSS6AI score0.00209EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/07 7:22 a.m.5 views

CVE-2026-2433

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener...

6.1CVSS6AI score0.00209EPSS
Exploits0References7
CVE
CVE
added 2026/03/07 7:22 a.m.21 views

CVE-2026-2433

The CVE-2026-2433 entry concerns the WordPress plugin RSS Aggregator (RSS Import, News Feeds, Feed to Post, Autoblogging) up to version 5.0.11. The root cause is a DOM-based XSS via postMessage arising from admin-shell.js: a global message listener is registered without origin validation, and use...

6.1CVSS6AI score0.00209EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/03/07 12:0 a.m.6 views

WordPress plugin RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

6.1CVSS6AI score0.00209EPSS
Exploits0References7
EUVD
EUVD
added 2026/03/06 3:27 a.m.5 views

EUVD-2025-208337

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...

6.4CVSS6.1AI score0.00177EPSS
Exploits0References2
NVD
NVD
added 2026/02/25 3:16 a.m.7 views

CVE-2026-27621

TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting XSS vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a...

6.8CVSS0.00188EPSS
Exploits2References2
ATTACKERKB
ATTACKERKB
added 2026/02/25 2:36 a.m.6 views

CVE-2026-27621

TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting XSS vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a...

6.8CVSS5.6AI score0.00188EPSS
Exploits2References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/21 7:29 p.m.4 views

CVE-2026-27504

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobilefront.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowi...

6.1CVSS5.4AI score0.00183EPSS
Exploits0References1
NVD
NVD
added 2026/02/20 5:25 p.m.4 views

CVE-2026-27504

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobilefront.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowi...

6.1CVSS0.00183EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/20 4:48 p.m.23 views

CVE-2026-27504 SVXportal <= 2.5 radiomobile_front.php stationid Reflected XSS

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobilefront.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowi...

6.1CVSS0.00183EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/02/20 4:48 p.m.4 views

CVE-2026-27504

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobilefront.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowi...

6.1CVSS5.3AI score0.00183EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/20 12:0 a.m.5 views

PT-2026-21273

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile front.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field,...

5.1CVSS5.4AI score0.00183EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/18 8:59 p.m.3 views

CVE-2019-25399 IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi

IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute...

6.4CVSS5.6AI score0.00232EPSS
Exploits1References4
Rows per page
Query Builder