CVE-2026-42683

The CVE-2026-42683 entry concerns the WordPress plugin VikBooking Hotel Booking Engine & PMS, affected through version 1.8.8. The issue is an Improper Neutralization of Input During Web Page Generation, i.e., a DOM-based Cross-Site Scripting (XSS) vulnerability. The root cause, as stated, is impr...

ninenines cowlib: Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability allows SSE event splitting and injection via unvalidated field values

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cowsse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefixlines/2 function...

Cross-site Scripting (XSS)

Overview org.webjars.npm:leaflet is a JavaScript library for mobile-friendly interactive maps Affected versions of this package are vulnerable to Cross-site Scripting XSS via the bindPopup method. An attacker can execute arbitrary JavaScript code in the context of a user's browser session by...

CVE-2026-33510 DOM-Based XSS in Homarr /auth/login Redirect

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of user-supplied input in various parameters across both authenticated and unauthenticated areas of the application. An attacker can execute arbitrary JavaScript in the context of a victim's...

CVE-2026-32450

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows DOM-Based XSS.This issue affects Active Products Tables for WooCommerce: from n/a through = 1.0.7...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the hotlinking process. An attacker can execute arbitrary JavaScript code in the context of users viewing the hotlinked SVG by uploading a crafted SVG file containing malicious scripts and creating a hotlink...

CVE-2026-27616

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the SVG file upload process. An attacker can execute arbitrary scripts in the context of a user's browser session by uploading a specially crafted SVG file. Details Cross-site scripting or XSS is a code...

UBUNTU-CVE-2025-67855

A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting XSS vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links...

CVE-2022-50942

Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacki...

Icinga Web 2 跨站脚本漏洞

Icinga Web 2 is an open-source monitoring and measurement solution developed by Icinga. Version 2.8.2 of Icinga Web 2 contains a cross-site scripting vulnerability. This vulnerability stems from the icinga.min.js file, which has a client-side cross-site scripting vulnerability. It may lead to...

CVE-2025-68538 WordPress Craft | Coffee Shop Cafe Restaurant WordPress theme <= 2.3.6 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through = 2.3.6...

CVE-2025-62750 WordPress WooCommerce Parcelas plugin <= 1.3.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Filipe Seabra WooCommerce Parcelas woocommerce-parcelas allows DOM-Based XSS.This issue affects WooCommerce Parcelas: from n/a through = 1.3.5...

CVE-2025-66103

CVE-2025-66103 corresponds to a vulnerability in WPCal.io (as reported by Wordfence) affecting version up to 0.9.5.9, described as an Authenticated (Contributor+) Stored Cross-Site Scripting via the events_list_grouped shortcode and patched. The initial description also mentions a DOM-based XSS i...

EUVD-2025-35535

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows DOM-Based XSS.This issue affects Seriously Simple Podcasting: from n/a through = 3.11.1...

EUVD-2018-3133

Malware in sbrugna...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the remote app title field. An attacker can execute arbitrary web scripts or inject malicious HTML by submitting crafted input to this field. Details Cross-site scripting or XSS is a code vulnerability that...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the dataAddonlayouts and dataAddonlayoutsexcept parameters in the /apprain/developer/addons/update/admin process. An attacker can execute arbitrary scripts in the context of a user's browser by submitting...

Microweber CMS 安全漏洞

Microweber CMS is a drag-and-drop website builder from Microweber Open Source. A security vulnerability exists in Microweber CMS version 2.0, which stems from reflective cross-site scripting in the id parameter in the liveedit.modulesettings API endpoint, which could lead to arbitrary JavaScript...