Lucene search
+L

23 matches found

nvd
nvd
added yesterday6 views

CVE-2026-54458

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin. Any unauthenticated remote attacker can execute arbitrary JavaScript in the authenticated origin of every administrator currently viewing a page th...

9.6CVSS
Exploits0References2
osv
osv
added 2026/07/01 10:57 p.m.3 views

CVE-2026-55790 Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types...

7.4CVSS5.9AI score0.00311EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/06/05 7:36 p.m.12 views

CVE-2026-41318

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's alt text into an HTML alt="..."...

5.4CVSS5.4AI score0.00195EPSS
Exploits1References1
osv
osv
added 2026/05/07 8:1 p.m.3 views

CVE-2026-41692 i18nextify is vulnerable to DOM XSS via javascript:/data: URL schemes in translated href/src attributes

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in...

4.7CVSS6AI score0.00144EPSS
Exploits0References4
osv
osv
added 2026/05/07 3:16 a.m.3 views

CVE-2026-41201 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS Version 2

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated vi...

9.1CVSS5.9AI score0.00331EPSS
Exploits0References4
cve
cve
added 2026/04/01 9:23 p.m.13 views

CVE-2026-34561

Summary of CVE-2026-34561 : CI4MS (CodeIgniter 4-based CMS skeleton) before version 0.31.0.0 is vulnerable to a stored DOM XSS in System Settings → Social Media Management. Attacker-controlled input entered in fields such as Social Media and Social Media Link is stored server-side and rendered wi...

8.4CVSS5.8AI score0.00229EPSS
Exploits1References2Affected Software1
cnnvd
cnnvd
added 2026/04/01 12:0 a.m.10 views

WordPress plugin King Addons for Elementor 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

6.4CVSS5.6AI score0.00241EPSS
Exploits0References11
cve
cve
added 2026/03/20 7:34 a.m.16 views

CVE-2026-33061

CVE-2026-33061 affects Jexactyl (previously named Exactyl), a configurable game management panel and billing system. The issue arises from injecting server-side objects into client-side JavaScript via resources/views/templates/wrapper.blade.php, where unescaped {!! json_encode(...) !!} is used wi...

5.8CVSS5.9AI score0.00165EPSS
Exploits1References2Affected Software1
attackerkb
attackerkb
added 2026/02/27 12:0 a.m.6 views

CVE-2026-26862

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting XSS via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js lines 56-60 uses the includes method to verify the originUrl contains...

8.3CVSS5.9AI score0.00366EPSS
Exploits1References4
osv
osv
added 2026/02/06 8:58 p.m.6 views

CVE-2026-25581 SCEditor affected by DOM XSS via emoticon URL/HTML injection

SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration option...

5.4CVSS5.4AI score0.00216EPSS
Exploits1References4
attackerkb
attackerkb
added 2026/01/26 7:36 p.m.5 views

CVE-2025-11687

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

6.1CVSS6AI score0.00337EPSS
Exploits0References4
nvd
nvd
added 2026/01/05 10:15 p.m.16 views

CVE-2025-65110

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used...

9.3CVSS0.00452EPSS
Exploits1References1
githubexploit
githubexploit
added 2025/12/25 7:29 p.m.160 views

XSSREFLECTOR

XSS Reflector XSS Reflector adalah tools otomatis untuk...

5.8AI score
Exploits0
nessus
nessus
added 2025/12/19 12:0 a.m.5 views

JetBrains TeamCity < 2025.11.0 Multiple Vulnerabilities

The version of JetBrains TeamCity installed on the remote host is prior to 2025.11.0. It is, therefore, affected by multiple vulnerabilities as referenced in the advisory. - In JetBrains TeamCity before 2025.11.0 Stored XSS was possible via session attribute CVE-2025-67741 - In JetBrains TeamCity...

7.5CVSS6AI score0.03592EPSS
Exploits0References9
githubexploit
githubexploit
added 2025/12/12 8:7 a.m.138 views

vuln_XSS_web

Vulnerable Websites for XSS Testing Đây là 4 website mẫu, mỗi...

6.2AI score
Exploits0
nessus
nessus
added 2025/08/27 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2023-23913

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the...

6.3CVSS6.5AI score0.00643EPSS
Exploits0References2
susecve
susecve
added 2025/04/24 11:33 a.m.3 views

SUSE CVE-2025-2703

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript...

6.3CVSS6.8AI score0.13697EPSS
Exploits0References8
redhat
redhat
added 2024/12/03 1:47 a.m.2 views

firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims

The Mozilla Foundation's Security Advisory: Enhanced Tracking Protection's Strict mode may inadvertently allow a CSP frame-src bypass and DOM-based cross-site scripting XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could expose users to malicious frames...

6.1CVSS7.2AI score0.00499EPSS
Exploits0References10
osv
osv
added 2024/11/19 5:15 p.m.10 views

CVE-2024-51938

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in NicheAddons Charity Addon for Elementor allows DOM-Based XSS.This issue affects Charity Addon for Elementor: from n/a through 1.3.2...

5.4CVSS7.3AI score0.00263EPSS
Exploits0References1
osv
osv
added 2023/08/03 10:15 p.m.4 views

CVE-2023-30958

A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0...

6.1CVSS5.8AI score0.00348EPSS
Exploits0References1
Rows per page
Query Builder