CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

119 matches found

Positive Technologies•added yesterday•4 views

PT-2026-46044

Name of the Vulnerable Software and Affected Versions ERPNext version 16.16.0 Description An authenticated user can persist arbitrary HTML or JavaScript within the email id or mobile no fields of a Customer record. This leads to unescaped rendering in the Point of Sale POS interface for any...

5.1CVSS5.9AI score

Exploits0References5

OSV•added 2026/05/14 8:21 p.m.•3 views

GHSA-R29H-37FJ-X2W6 Open WebUI Has Stored Cross-Site Scripting in SVG Renderer

Summary There is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. Details It is possible permanently save any HTML/JavaScript code in the application, which can be then executed in the context of the application domain. This behaviour can be used to extract and stea...

5.1CVSS5.9AI score0.0003EPSS

Exploits1References3

Positive Technologies•added 2026/05/14 12:0 a.m.•9 views

PT-2026-41176

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.31 Description A Cross-Site Scripting issue exists in the SVG renderer implementation. This allows the permanent storage of HTML or JavaScript code within the application, which is then executed in the context ...

5.1CVSS5.8AI score0.0003EPSS

Exploits1References6

Snyk•added 2026/05/11 7:34 p.m.•4 views

Cross-site Scripting (XSS)

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the font family preference update process. An attacker can execute arbitrary HTML or JavaScript in the context of another user's session by injecting malicious...

7.9CVSS5.8AI score0.00056EPSS

Exploits0References2

Positive Technologies•added 2026/04/29 12:0 a.m.•1 views

PT-2026-35951

Name of the Vulnerable Software and Affected Versions Helpy version 2.8.0 Description A stored cross-site scripting issue exists in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of...

5.4CVSS5.8AI score0.00031EPSS

Exploits1References6

Positive Technologies•added 2026/04/27 12:0 a.m.•4 views

PT-2026-35522

A reflected cross-site scripting XSS vulnerability exists in WebFileSys version 2.31.1. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser...

5.3AI score0.00025EPSS

Exploits3References3

Cvelist•added 2026/04/21 12:0 a.m.•30 views

CVE-2026-31018

In Dolibarr ERP & CRM = 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page...

0.00049EPSS

Exploits0References2

RedhatCVE•added 2026/03/06 7:45 p.m.•1 views

CVE-2026-26276

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. This issue has been patched in...

7.3CVSS5.7AI score0.0004EPSS

Exploits0References1

Positive Technologies•added 2026/03/05 12:0 a.m.•3 views

PT-2026-23488

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2 Description Gogs, a self-hosted Git service, is affected by a DOM-Based Cross-Site Scripting XSS issue. An attacker can inject an HTML/JavaScript payload into a repository’s Milestone name. When another user selec...

9.9CVSS5.8AI score0.07313EPSS

Exploits68References137

Cvelist•added 2026/02/19 5:57 p.m.•18 views

CVE-2026-23612 GFI MailEssentials AI < 22.4 Anti-Spam IP DNS Blocklist Domain Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXBIPs parameter to...

5.4CVSS0.00045EPSS

Exploits0References2

Cvelist•added 2026/02/19 5:57 p.m.•17 views

CVE-2026-23611 GFI MailEssentials AI < 22.4 Anti-Spam IP Blocklist Description Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtIPDescription parameter to...

5.4CVSS0.00045EPSS

Exploits0References2

CVE•added 2026/02/19 5:56 p.m.•4 views

CVE-2026-23609

GFI MailEssentials AI (versions prior to 22.4) contains a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page. An authenticated user can submit HTML/JavaScript to ctl00$ContentPlaceHolder1$pv3$txtDescription on /MailEssentials/pages/MailSecurity/PerimeterSMT...

5.4CVSS5.4AI score0.00045EPSS

Exploits0References2Affected Software1

Cvelist•added 2026/02/19 5:55 p.m.•17 views

CVE-2026-23608 GFI MailEssentials AI < 22.4 Email Management Mail Monitoring Rule Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint. An authenticated user can supply HTML/JavaScript in the JSON "name" field to /MailEssentials/pages/MailSecurity/MailMonitoring.aspx/Save, which is stored...

5.4CVSS0.00045EPSS

Exploits0References2

Vulnrichment•added 2026/02/19 5:55 p.m.•1 views

CVE-2026-23606 GFI MailEssentials AI < 22.4 Advanced Content Filtering Rule Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtRuleName parameter to...

5.4CVSS5.4AI score0.00045EPSS

Exploits0References2

Positive Technologies•added 2026/02/19 12:0 a.m.•3 views

PT-2026-20893

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4 Description GFI MailEssentials AI versions before 22.4 have a stored cross-site scripting issue in the URI DNS Blocklist configuration page. A logged-in user can inject HTML or JavaScript code into...

5.4CVSS5.2AI score0.00045EPSS

Exploits0References6

Positive Technologies•added 2026/02/19 12:0 a.m.•3 views

PT-2026-20886

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4 Description The software contains a stored cross-site scripting issue in the Advanced Content Filtering rule creation workflow. A logged-in user can inject HTML or JavaScript code via the txtRuleNam...

5.4CVSS5.3AI score0.00045EPSS

Exploits0References7

OSV•added 2026/02/18 10:7 p.m.•1 views

GHSA-5PQF-54QP-32WX LibreNMS /device-groups name Stored Cross-Site Scripting

Summary /device-groups name Stored Cross-Site Scripting - HTTP POST - Request-URIs: "/device-groups" - Vulnerable parameters: "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The...

5.1CVSS5.5AI score0.00004EPSS

Exploits1References6

Cvelist•added 2026/02/10 8:38 p.m.•23 views

CVE-2025-12699 ZOLL ePCR IOS Mobile Application Insertion of Sensitive Information into Externally-Accessible File or Directory

The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields run number, incident, call sign, notes are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept POC, injected scripts return loca...

6.7CVSS0.00005EPSS

Exploits0References3

OSV•added 2026/02/03 7:16 p.m.•1 views

CVE-2026-24426

Shenzhen Tenda AC7 firmware version V03.03.03.01cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim’s browser...

6.1CVSS5.9AI score0.00039EPSS

Exploits0References2

RedhatCVE•added 2026/01/26 9:20 a.m.•4 views

CVE-2026-24399

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

9.3CVSS5.8AI score0.00017EPSS

Exploits1References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by