Lucene search
K

31 matches found

Cvelist
Cvelist
added 2026/07/01 11:13 p.m.35 views

CVE-2026-55791 Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

Craft CMS is a content management system CMS. Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default...

6.9CVSS0.0033EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 11:13 p.m.39 views

CVE-2026-55791

Craft CMS vulnerability CVE-2026-55791 enables SSRF and Arbitrary JavaScript Injection via /actions/app/resource-js when assetManager.cacheSourcePaths is false and trustedHosts is permissive. An attacker can poison Host/X-Forwarded-Host to hijack $baseUrl, causing Craft::createGuzzleClient()->...

6.9CVSS5.8AI score0.0033EPSS
Exploits0References2
CNVD
CNVD
added 2025/10/31 12:0 a.m.2 views

IPFire Cross-Site Scripting Vulnerability (CNVD-2025-27704)

IPFire is an open source Linux distribution from the IPFire organization. It is mainly used as a router and firewall. IPFire suffers from a cross-site scripting vulnerability that stems from insufficient input cleanup and escaping of the INCSPD, OUTSPD, DEFCLASSINC, and DEFCLASSOUT parameters,...

5.4CVSS6.2AI score0.00453EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/10/14 9:46 a.m.6 views

CVE-2025-11183

Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in the page...

6.9CVSS6.4AI score0.00395EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2021-10018

Malware in sbrugna...

6.1CVSS6.2AI score0.017EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.8 views

EUVD-2020-21310

Malware in sbrugna...

5.4CVSS5.4AI score0.01078EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-42611

Malicious code in bioql PyPI...

5.4CVSS5.7AI score0.00491EPSS
Exploits2References2
RedhatCVE
RedhatCVE
added 2025/08/02 8:23 p.m.9 views

CVE-2025-51569

A cross-site scripting XSS vulnerability exists in the LB-Link BL-CPE300M 01.01.02P42U1406 router's web interface. The /goform/goformgetcmdprocess endpoint fails to sanitize user input in the cmd parameter before reflecting it into a text/html response. This allows unauthenticated attackers to...

6.1CVSS5.5AI score0.00252EPSS
Exploits0References1
NVD
NVD
added 2025/05/30 7:15 a.m.14 views

CVE-2025-48875

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of lastname and firstname during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted...

5.4CVSS0.00214EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/05/08 12:0 a.m.6 views

CVE-2025-28073

phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting XSS via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized...

6AI score0.00537EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2024/04/03 12:0 a.m.18 views

Westermo Lynx 206-F2G Improper Neutralization of Input During Web Page Generation (CVE-2023-40143)

An attacker with access to the Westermo Lynx web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the 'forward.0.domain' parameter. This plugin only works with Tenable.ot. Please visit...

5.4CVSS6AI score0.00294EPSS
Exploits0References3
NVD
NVD
added 2024/01/16 4:15 p.m.10 views

CVE-2022-3194

The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators...

5.4CVSS5.2AI score0.00491EPSS
Exploits2References1
OSV
OSV
added 2023/08/14 9:10 p.m.14 views

GHSA-9PHH-R37V-34WH lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files

Impact The browser renders the resulting HTML when opening a direct link to an HTML file via lakeFS. Any JavaScript within that page is executed within the context of the domain lakeFS is running in. An attacker can inject a malicious script inline, download resources from another domain, or make...

5.8CVSS6.6AI score
Exploits0References4
Veracode
Veracode
added 2023/05/16 7:5 a.m.17 views

Cross-site Scripting (XSS)

pimcore/pimcore is vulnerable to Cross-site Scripting XSS. The vulnerability exists in setName of Rule.php due to improper sanitization of input name parameter which allows an attacker to inject and execute arbitrary javascript...

5.4CVSS6.8AI score0.00508EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2023/04/25 9:30 a.m.27 views

Arbitrary javascript injection in Apache Jena

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query...

5.4CVSS6.7AI score0.01324EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2022/10/11 6:15 p.m.24 views

CVE-2022-42236

A Stored XSS issue in Merchandise Online Store v.1.0 allows to injection of Arbitrary JavaScript in edit account form...

5.4CVSS0.00388EPSS
Exploits0References1
Prion
Prion
added 2022/10/11 6:15 p.m.12 views

Cross site scripting

A Stored XSS issue in Merchandise Online Store v.1.0 allows to injection of Arbitrary JavaScript in edit account form...

4.9CVSS5.4AI score0.00388EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2022/10/11 12:0 a.m.5 views

CVE-2022-42236

A Stored XSS issue in Merchandise Online Store v.1.0 allows to injection of Arbitrary JavaScript in edit account form...

6.2AI score0.00388EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2022/06/21 8:4 p.m.37 views

Argo CD's external URLs for Deployments can include JavaScript

Impact All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting XSS bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions up to and including admin. The scri...

9CVSS5.6AI score0.00909EPSS
Exploits0References5Affected Software2
NVD
NVD
added 2022/05/23 8:16 a.m.32 views

CVE-2022-1093

The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed...

4.8CVSS0.00646EPSS
Exploits2References1
Rows per page
Query Builder