2022 matches found
Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting
PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute...
Zarinpal Paid Download - Reflected XSS
Zarinpal Paid Download WordPress plugin v2.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users such as admin, exploit requires...
MaNGOSWebV4 < 4.0.8 - Cross-Site Scripting
paintballrefjosh/MaNGOSWebV4 4.0.8 contains a reflected XSS caused by unsanitized input in install/index.php step parameter, letting attackers execute arbitrary scripts in the victim's browser, exploit requires victim to visit a maliciously crafted URL id: CVE-2017-6478 info: name: MaNGOSWebV4...
CVE-2026-44745 Open Redirect vulnerability in SAP Approuter
SAP Approuter does not properly validate incoming request headers during the OAuth2 login flow under certain configurations. This allows an unauthenticated remote attacker to craft a malicious link which, when clicked by a victim, could lead to unauthorized access. Successful exploitation results...
PT-2026-57920
Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.11.0 Description The GitHub Gist export flow fails to properly validate the OAuth2 state value, checking only for its presence instead of verifying it against the user session. This allows an attacker to forge a...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of the id parameter in the Bazar widget handler. An attacker can execute arbitrary JavaScript in the victim's browser by crafting a malicious URL that injects attacker-controlled attributes...
PYSEC-2026-661 Moderate severity vulnerability that affects mailman
An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site...
OHIF Viewers DICOM
ADVISORY SUMMARY Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of...
OESA-2026-2695 python3 security update
Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C...
CVE-2026-8172
The CVE-2026-8172 entry concerns the WordPress plugin Simple Basic Contact Form (through 20250114). The issue is a Reflected Cross-Site Scripting vulnerability caused by not escaping user-supplied input before reflecting it in the contact form output on validation errors. Impact described: unauth...
EUVD-2026-38418
The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors vi...
CVE-2026-54221 Reflected XSS in UBB.threads
UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, enabling attackers to execute arbitrary JavaScript in the context of a victim's browser by tricking them into clicking a crafted link. Because vendor contact attempts were unsuccessful,...
CVE-2026-54221
UBB.threads is affected by a Reflected XSS vulnerability (CVE-2026-54221). The issue is confirmed in version 7.7.5 and may affect other versions. The vulnerability allows an attacker to execute arbitrary JavaScript in a victim’s browser when the user clicks a crafted link, with user interaction r...
CVE-2026-40457
The CVE-2026-40457 entry describes a Reflected XSS in LMS (LAN Management System) prior to commit 9c5651b in the dbrecover.php and netremap.php modules, where unsanitized GET parameters are embedded into HTML output. This enables an attacker to inject arbitrary JavaScript when an authenticated us...
CVE-2026-20178
The CVE-2026-20178 issue affects the browser-based Cisco Webex App. Root cause: improper input validation of URL parameters in an HTTP request, enabling an unauthenticated, remote attacker to persuade a user to click a crafted URL and be redirected to a malicious webpage. Impact is limited to use...
CVE-2026-20178
A vulnerability in the browser-based version of Cisco Webex App could have allowed an unauthenticated, remote attacker to redirect users to a malicious webpage. Cisco has addressed this vulnerability in the Cisco Webex App, and no customer action is needed. This vulnerability existed due to...
CVE-2026-8089 weMail < 2.1.3 - Reflected Cross-Site Scripting
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated...
Bosch Security Systems IP Cameras Cross-site Scripting (CVE-2021-23848)
An error in the URL handler Bosch IP cameras may lead to a reflected cross site scripting XSS in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user. This plugin only works with...
PT-2026-49329
Name of the Vulnerable Software and Affected Versions Benjamin Jonard Koillection version 1.8.0 Description An authenticated Server-Side Request Forgery SSRF exists in the custom scraper subsystem component. This allows attackers to scan internal resources by supplying a crafted URL. SSRF is a fl...
CVE-2026-53736 Easy Twitter Feeds before 1.2.13 Cross-Site Request Forgery via duplicate_post Action
Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicatepost action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type...