Mitel ShoreTel 19.46.1802.0 Devices - Cross-Site Scripting

Mitel ShoreTel 19.46.1802.0 devices and their conference component are vulnerable to an unauthenticated attacker conducting reflected cross-site scripting attacks via the PATHINFO variable to index.php due to insufficient validation for the timezone object in the HOMEMEETING& page. id:...

EUVD-2026-32630

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An attacker can execute arbitrary JavaScript by supplying a javascript: URL in an image widget's link URL field and having it rendered on the page. This affects...

CVE-2026-42948

Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser...

CVE-2025-56535

OpenNebula 6.10.0.1 is affected by a cross-site scripting (XSS) vulnerability in the zone attribute parameter. The issue allows an attacker to render arbitrary web scripts or HTML in the victim’s browser. The available documents consistently describe the vulnerability as XSS in OpenNebula v6.10.0...

GROWI vulnerable to stored cross-site scripting

Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Stored cross-site scripting CWE-79 - CVE-2026-26291 Norihide Saito reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...

CVE-2026-26291

Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser...

GHSA-VFFH-X6R8-XX99 Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer

Impact Stored cross-site scripting XSS via crafted metric names in the Prometheus web UI: Old React UI + New Mantine UI: When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into innerHTML without escaping, causing arbitrary script...

CVE-2025-45806

A cross-site scripting XSS vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2026-27787

Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product...

PT-2026-31084

Name of the Vulnerable Software and Affected Versions MATCHA SNS versions prior to 1.4.0 Description A cross-site scripting issue exists. Successful exploitation could allow an attacker to execute arbitrary scripts in a user's web browser when they access the website. Recommendations Update to...

PT-2026-31288

Name of the Vulnerable Software and Affected Versions Robo Gallery versions through 5.1.3 Description The Robo Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting via the 'Loading Label' setting. The plugin utilizes a custom |...| marker pattern within its fixJsFunction...

CVE-2025-70844

yaffa v2.0.0 is vulnerable to Cross Site Scripting XSS. An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page...

CVE-2025-70844

yaffa v2.0.0 is vulnerable to Cross Site Scripting XSS. An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page...

Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Page Sign parameter

An authenticated stored cross-site scripting XSS vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter...

Cross-site Scripting (XSS)

Overview feehi/cms is a Feehi CMS project template. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Name parameter in the Category module. An attacker can execute arbitrary web scripts or HTML by injecting a crafted payload. Details Cross-site scripting or XSS...

CVE-2025-10551

A Stored Cross-site Scripting XSS vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session...

CVE-2026-32901

Affected software: OpenClaw prior to version 2026.3.2. Vulnerability type: semantic drift in node system.run approval hardening that rewrites wrapper argv, enabling execution of unintended local scripts when an attacker can influence argv and place malicious files in the approved working director...

CVE-2015-20114

Next Click Ventures RealtyScript 4.0.2 contains a cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious input through multiple parameters that are not properly sanitized. Attackers can craft requests with injected script payloads...

CVE-2026-20116

A vulnerability in the web-based management interface of Cisco Finesse, Cisco Packaged Contact Center Enterprise Packaged CCE, Cisco Unified Contact Center Enterprise Unified CCE, Cisco Unified Contact Center Express Unified CCX, and Cisco Unified Intelligence Center could allow an unauthenticate...