42 matches found
CVE-2026-48221 Open ISES Tickets < 3.44.2 Reflected XSS via ics205a.php frm_add_str Parameter
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frmaddstr POST parameter directly into an HTML form hidden input value attribute...
Linux Distros Unpatched Vulnerability : CVE-2026-22675
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary...
CVE-2026-34806 Endian Firewall /cgi-bin/snat.cgi remark Stored Cross-Site Scripting
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the remark parameter to /cgi-bin/snat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...
CVE-2026-25417 WordPress ProfileGrid plugin <= 5.9.8.1 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Stored XSS.This issue affects ProfileGrid : from n/a through = 5.9.8.1...
CVE-2026-28338 PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages
PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains...
CVE-2025-59131
Cross-Site Request Forgery CSRF vulnerability in hoernerfranz WP-CalDav2ICS wp-caldav2ics allows Stored XSS.This issue affects WP-CalDav2ICS: from n/a through = 1.3.4...
CVE-2025-12976 Events Manager <= 7.2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_list_grouped' Shortcode
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eventslistgrouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied...
PT-2025-50830
The WPGancio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gancio-event' shortcode in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
PT-2025-50213
Name of the Vulnerable Software and Affected Versions Coohom SaaS Platform version 1760060603897 2025-10-28 Description A stored Cross-Site Scripting XSS issue exists in the Account Settings module. The issue occurs because unsanitized user input in Address fields, specifically City, State, and...
CVE-2025-12160
The Simple User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpradminmsg' parameter in all versions up to, and including, 6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
EUVD-2025-25361
Malicious code in bioql PyPI...
CVE-2025-9541 Markup Markdown < 3.20.10 - Contributor+ Stored XSS
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2025-34175
In pfSense CE /usr/local/www/suricata/suricatafilecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated...
CVE-2025-9442
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vodsChannel’ parameter in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-41059 Stored Cross-Site Scripting vulnerability in appRain CMF
A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'dataAddonlayouts' and 'dataAddonlayoutsexcept' parameters in /apprain/developer/addons/update/tablesorter...
CVE-2025-8281 WP Talroo <= 2.4 - Reflected XSS
The WP Talroo WordPress plugin through 2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin and unauthenticated users...
CVE-2025-4576
CVE-2025-4576 describes a reflected XSS in Liferay Portal 7.4.0–7.4.3.133 and Liferay DXP versions listed (various 2024/Qx and 2025/Q1 ranges, up to 7.4 GA with update 92). The vulnerability allows a remote, non-authenticated attacker to inject JavaScript into the page at modules/apps/blogs/blogs...
CVE-2024-10744
A vulnerability was found in PHPGurukul Online Shopping Portal 2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/assets/plugins/DataTables/media/unittesting/templates/complexheader2.php. The manipulation of the argument scripts...
WordPress Graphicsly plugin <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload vulnerability
Authenticated Author+ Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by Francesco Carlucci in WordPress Plugin Graphicsly versions = 1.0.2...
yellownepal.com Cross Site Scripting vulnerability
Open Bug Bounty ID: OBB-1065107 Security Researcher geeknik Helped patch 8924 vulnerabilities Received 8 Coordinated Disclosure badges Received 21 recommendations , a holder of 8 badges for responsible and coordinated disclosure, found a security vulnerability affecting yellownepal.com website an...