Lucene search
K

1117309 matches found

CVE
CVE
added 1 hour ago2 views

CVE-2026-59710

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...

6.1CVSS5.9AI score
Exploits0References4
CVE
CVE
added 2 hours ago7 views

CVE-2026-59711

CVE-2026-59711 affects the showdown library. A cross-site scripting vulnerability exists in metadata title handling when the completeHTMLDocument option is enabled; unescaped characters in markdown frontmatter metadata are placed into HTML title tags, allowing script execution in the rendered pa...

6.1CVSS6AI score
Exploits0References3
CVE
CVE
added 3 hours ago12 views

CVE-2026-50133

CVE-2026-50133 affects Hugo, a static site generator. The issue: before v0.162.0, content files mapped to text/html (e.g., HTML under /content or via adapters setting content.mediaType = "text/html") had their body emitted verbatim, enabling stored cross-site scripting if untrusted HTML content i...

5.1CVSS5.4AI score0.00024EPSS
Exploits0References3
CVE
CVE
added 3 hours ago5 views

CVE-2026-58402

Hugo (static site generator) from version 0.60.0 up to 0.163.3 is affected: its default code-block renderer writes the Markdown code-fence language/info-string into the code element wrapper (class="language-…", data-lang="…") without HTML escaping. A fence info-string containing a quote and a scr...

5.1CVSS5.8AI score
Exploits0References4
Cvelist
Cvelist
added 3 hours ago5 views

CVE-2026-58402 Hugo default code block renderer XSS via unescaped code-fence language

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.1CVSS
Exploits0References4
NVD
NVD
added 4 hours ago4 views

CVE-2026-12154

The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pageid' shortcode attribute of the fbrev shortcode in versions up to and including 2.7.3. This is due to insufficient input sanitization and output escaping in the...

6.4CVSS
Exploits0References5
CVE
CVE
added 5 hours ago12 views

CVE-2026-12154

The CVE concerns the WordPress plugin Reviews Widgets for Google, Yelp & TripAdvisor (fb-reviews-widget)

6.4CVSS6AI score
Exploits0References5
EUVD
EUVD
added 5 hours ago4 views

EUVD-2026-41894

The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pageid' shortcode attribute of the fbrev shortcode in versions up to and including 2.7.3. This is due to insufficient input sanitization and output escaping in the...

6.4CVSS6AI score
Exploits0References5
NVD
NVD
added 5 hours ago4 views

CVE-2025-53831

DrawIO for ownCloud is an application for using DrawIO with the file storage, synchronization, and sharing application ownCloud Classic. In DrawIO for ownCloud prior to version 1.0.2, which corresponds to ownCloud 10 prior to version 10.15.3, attackers with access to the DrawIO app can leverage...

8.2CVSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 6 hours ago4 views

CVE-2025-53831

DrawIO for ownCloud is an application for using DrawIO with the file storage, synchronization, and sharing application ownCloud Classic. In DrawIO for ownCloud prior to version 1.0.2, which corresponds to ownCloud 10 prior to version 10.15.3, attackers with access to the DrawIO app can leverage...

8.2CVSS5.9AI score
Exploits0References2Affected Software2
EUVD
EUVD
added 6 hours ago4 views

EUVD-2025-210435

DrawIO for ownCloud is an application for using DrawIO with the file storage, synchronization, and sharing application ownCloud Classic. In DrawIO for ownCloud prior to version 1.0.2, which corresponds to ownCloud 10 prior to version 10.15.3, attackers with access to the DrawIO app can leverage...

8.2CVSS5.9AI score
Exploits0References1
NVD
NVD
added 11 hours ago7 views

CVE-2025-8591

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can...

6.1CVSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 12 hours ago3 views

CVE-2025-8591

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can...

6.1CVSS6AI score
Exploits0References2Affected Software8
Cvelist
Cvelist
added 12 hours ago5 views

CVE-2025-8591 Reflected Cross-Site Scripting via URL Parameter in Multiple WSO2 Products Enables UI Modification

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can...

6.1CVSS
Exploits0References1
CVE
CVE
added 12 hours ago9 views

CVE-2025-8591

The CVE-2025-8591 entry describes a reflected cross-site scripting flaw in multiple WSO2 products, triggered by reflecting user-supplied input from a URL parameter without sufficient output encoding. The vulnerability allows an attacker to cause the user’s browser to redirect to a malicious site,...

6.1CVSS6AI score
Exploits0References1
Patchstack
Patchstack
added 12 hours ago8 views

WordPress Comments – wpDiscuz plugin <= 7.6.56 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by mickeyjoe in WordPress Plugin wpDiscuz versions = 7.6.56...

7.2CVSS5.9AI score0.00305EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 13 hours ago7 views

WordPress Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin <= 2.11.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by daroo in WordPress Plugin Ultimate Member versions = 2.11.4...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 13 hours ago5 views

WordPress JSON API User plugin <= 4.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Yat in WordPress Plugin JSON API User versions = 4.1.0...

6.4CVSS5.9AI score0.00228EPSS
Exploits0References1Affected Software1
NVD
NVD
added 14 hours ago4 views

CVE-2026-11766

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, includin...

8CVSS
Exploits0References1
CVE
CVE
added 17 hours ago6 views

CVE-2026-11855

CVE-2026-11855 affects the Simple Membership WordPress plugin prior to 4.7.5. The issue arises because Stripe webhook requests are not authenticated when no signing secret is configured, and a value taken from those requests is not escaped before being output in an administrator notice. This lead...

8.8CVSS6.1AI score
Exploits0References1
Rows per page
Query Builder