Lucene search
K

1495 matches found

Nuclei
Nuclei
added 2 days ago49 views

Zarafa WebApp <=2.0.1.47791 - Cross-Site Scripting

Zarafa WebApp 2.0.1.47791 and earlier contains an unauthenticated reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. id: CVE-2019-7219 info: name: Zarafa WebApp =2.0.1.47791 -...

6.1CVSS6.5AI score0.05173EPSS
Exploits0References5
Nuclei
Nuclei
added 3 days ago157 views

SPIP <3.1.2 - Cross-Site Scripting

SPIP 3.1.2 and earlier contains a cross-site scripting vulnerability in validerxml.php which allows remote attackers to inject arbitrary web script or HTML via the varurl parameter in a validerxml action. id: CVE-2016-7981 info: name: SPIP 3.1.2 - Cross-Site Scripting author: pikpikcu severity:...

6.1CVSS6.7AI score0.08216EPSS
Exploits2References5
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-39596

A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting XSS payload into cluster objects such as ClusterVersion...

6.9CVSS5.7AI score0.00184EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago29 views

CVE-2026-57532

Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of another backend user. Due to requirements of the PDF rendering...

8.8CVSS0.0033EPSS
Exploits0References1
OSV
OSV
added 2026/06/23 1:16 p.m.4 views

PYSEC-2026-230

Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing t...

5.3CVSS5.6AI score0.00417EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/10 8:39 p.m.27 views

CVE-2026-53742 Simple Link Directory through 9.0.4 Stored XSS via Embed Shortcode Attributes

Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser...

5.4CVSS0.00141EPSS
Exploits0References2
NVD
NVD
added 2026/06/09 5:17 p.m.8 views

CVE-2026-48301

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's...

5.4CVSS0.00224EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:38 p.m.11 views

CVE-2026-34658

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may...

4.8CVSS5.5AI score0.00274EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/28 8:12 a.m.10 views

CVE-2026-48999

Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session...

5.7CVSS5.9AI score0.00169EPSS
Exploits0References1
NVD
NVD
added 2026/05/19 2:16 p.m.24 views

CVE-2025-40900

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to...

5.1CVSS0.00201EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/19 1:17 p.m.39 views

CVE-2025-40900 Angular template injection in Reports in Guardian/CMC before 26.1.0

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to...

5.1CVSS0.00201EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/19 1:17 p.m.10 views

CVE-2025-40900

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to...

5.1CVSS5.8AI score0.00201EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/13 9:32 p.m.7 views

EUVD-2026-30186

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

8.5CVSS6AI score0.00266EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/13 9:32 p.m.12 views

CVE-2026-44369 CVAT: Stored XSS via annotation guides

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

8.5CVSS6AI score0.00266EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.13 views

PT-2026-40818

Name of the Vulnerable Software and Affected Versions CVAT versions 2.5.0 through 2.63.0 Description An attacker with permissions to create or edit an annotation guide on a task can inject malicious JavaScript code. This code executes in the browser of any user who opens the affected guide,...

8.5CVSS5.9AI score0.00266EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/05/11 8:26 p.m.10 views

CVE-2021-47948

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...

5.4CVSS6AI score0.00169EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/10 3:31 p.m.33 views

EUVD-2021-34808

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...

5.4CVSS6AI score0.00169EPSS
Exploits0References4
CVE
CVE
added 2026/05/10 12:44 p.m.23 views

CVE-2021-47948

The CVE-2021-47948 entry concerns WordPress GetPaid Plugin 2.4.6 with an HTML-injection vulnerability. It allows authenticated attackers to inject arbitrary HTML via the Help Text field in payment forms, with the injected HTML stored in the database and executed in the browser when the form is vi...

5.4CVSS6AI score0.00169EPSS
Exploits0References3
OSV
OSV
added 2026/04/22 10:22 p.m.8 views

GHSA-FFQ5-QPVF-XQ7X OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

Summary The Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if...

4.6CVSS6.1AI score0.002EPSS
Exploits1References5
RubySec
RubySec
added 2026/04/22 12:0 a.m.8 views

OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

Summary The Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if...

4.6CVSS5.9AI score0.002EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder