36 matches found
PT-2026-41369
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...
CVE-2020-37225 Powie's WHOIS Domain Check 0.9.31 Persistent Cross-Site Scripting
Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings. Attackers can submit malicious payloads through textarea and input elements in t...
CVE-2021-47929
Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attackers can store JavaScript code like image tags with onerror handlers that execute when the gallery...
Security Bulletin: IBM Content Navigator is affected by CVE-2026-1243, a Cross-Site Scripting (XSS) vulnerability
Summary IBM Content Navigator is affected by CVE-2026-1243, a Cross-Site Scripting XSS vulnerability that allows an authenticated user to embed arbitrary JavaScript into the Web UI. This could alter intended application behaviour and potentially lead to credentials disclosure within a trusted...
EUVD-2026-9355
In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...
CVE-2025-14275
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level...
ChurchCRM Cross-Site Scripting Vulnerability (CNVD-2026-0536090)
ChurchCRM is an open source church management system. ChurchCRM suffers from a cross-site scripting vulnerability that originates from a low-privileged user being able to inject persistent JavaScript into group role names, which can be exploited by an attacker to cause an account takeover...
CVE-2025-64847
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...
UBUNTU-CVE-2025-65187
A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed...
CVE-2025-62297
SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55...
EUVD-2023-42381
Malicious code in bioql PyPI...
PT-2025-36794
Name of the Vulnerable Software and Affected Versions: Proxmox Virtual Environment version 8.4 Description: A stored cross-site scripting XSS issue exists in the WebAuthn Relying Party field within the Datacenter configuration. Authenticated users can inject JavaScript code that is later executed...
PT-2025-35089
Name of the Vulnerable Software and Affected Versions: IBM Watson Studio on Cloud Pak for Data versions 4.0 through 5.0 Description: IBM Watson Studio on Cloud Pak for Data is susceptible to a cross-site scripting issue. An authenticated user can inject arbitrary JavaScript code into the Web UI,...
Linux Distros Unpatched Vulnerability : CVE-2020-4047
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In affected versions of WordPress, authenticated users with upload permissions like authors are able to inject JavaScript into some media file attachment pages ...
Liferay Portal Reflected Cross-Site Scripting Vulnerability in displayType Parameter
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19...
CVE-2025-43740
CVE-2025-43740 is a stored XSS vulnerability in Liferay Portal and Liferay DXP. Affected: Liferay Portal 7.4.3.120–7.4.3.132 and Liferay DXP 2025.Q1.0–Q2.8 (also Q4/Q3/Q2/Q1 2024). The issue allows a remote authenticated attacker to inject JavaScript via the web interface’s message boards feature...
PT-2025-33681 · Liferay · Liferay Portal +1
Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2025.Q1.0 through 2025.Q1.8 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q2.0 through...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the uselang parameter, which allows system messages to be inserted into raw HTML without proper escaping. An attacker can execute arbitrary JavaScript in the context of the user's browser by injecting crafte...
CVE-2024-52365
IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thu...
CVE-2025-0747
A Stored Cross-Site Scripting vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to inject a malicious JavaScript code into a message that will be executed when a user opens the chat...