CVE-2026-4313

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...

CVE-2026-4313

CVE-2026-4313 affects AdaptiveGRC. The issue is a stored XSS vulnerability in text-type fields across forms, where an authenticated attacker can replace a field value in an HTTP POST request. The server’s improper parameter validation can lead to arbitrary JavaScript execution in the victim’s bro...

CVE-2026-4313 Stored XSS in AdaptiveGRC

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...

EUVD-2026-22766

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint POST /LiveTv/TunerHosts, where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery SSRF via HTTP...

CVE-2026-22808

fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token FLEET::authtoken from localStorage...

Cross-site Scripting (XSS)

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting XSS via the chat logs, due to improper input sanitization. An attacker can access sensitive information or impersonate an administrator by injecting malicious HTML or scripts into chat...

CVE-2025-34157

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting XSS attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to...

CVE-2024-21516

This affects versions of the package opencart/opencart from 4.0.0.0 and before 4.1.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The...

CVE-2024-3110

A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them...

Reflected Cross-site Scripting

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Reflected Cross-site Scripting. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to clic...

CVE-2024-3110

A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them...

CVE-2024-3110

Concretely, CVE-2024-3110 affects mintplex-labs/anything-llm before version 1.0.0. The root cause is improper sanitization/validation of user-supplied URLs when embedding them as external links with icons, allowing a stored XSS via javascript: payloads. Exploitation requires user interaction (e.g...

PT-2024-23768 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions prior to 1.0.0 Description: A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application. The vulnerability arises from the application's failure to properly sanitize...

Cross-Site Request Forgery (CSRF)

pimcore/pimcore is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists due to a lack of login sanitization for the PHPSESSID cookie, which allows an attacker to steal an admin token, and login using it, resulting in sensitive information or remote code execution...

CVE-2022-36223

In Emby Server 4.6.7.0, the playlist name field is vulnerable to XSS stored where it is possible to steal the administrator access token and flip or steal the media server administrator account...

CVE-2022-35910

In Jellyfin before 10.8, stored XSS allows theft of an admin access token...

CVE-2022-35910

In Jellyfin before 10.8, stored XSS allows theft of an admin access token...

Nagios Log Server Incorrect Access Control Vulnerability

Nagios Log Server is a powerful enterprise-grade log monitoring and management application that allows organizations to quickly and easily view, sort, and configure logs from any source on any given network. An incorrect access control vulnerability exists in Nagios Log Server 2.1.3. An attacker...