PT-2026-49825

Name of the Vulnerable Software and Affected Versions PowerSchool Employee Access Center version 23.10 Description Improper Neutralization of Input During Web Page Generation allows Cross-Site Scripting XSS, a flaw where malicious scripts are injected into otherwise trusted websites. An attacker...

CVE-2026-47100

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject...

Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.9.0 had a cross-site scripting vulnerability. This vulnerability stemmed from the AccountPending.svelte component using marked.parse to render...

EUVD-2026-27530

The Item history widget in Zabbix 7.0+ or the Plain text widget in Zabbix 6.0 can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would...

CVE-2026-23928

The Item history widget in Zabbix 7.0+ or the Plain text widget in Zabbix 6.0 can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would...

PT-2026-36905

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1 Description An unauthenticated attacker can register a malicious MCP OAuth client using a crafted client name. If a victim user authorizes the OAuth conse...

DarKSward

DarKSward-DarKSword Webpack source code reconstruction of the...

CVE-2021-22888

Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the status parameter of campaign-zone-zones.php. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScri...

CVE-2025-9981 Multiple Stored XSS in QuickCMS

QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality sliders-form. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. T...

EUVD-2024-46153

Malicious code in bioql PyPI...

The vulnerability of Websoft HCM’s automation software for HR processes lies in the lack of measures taken to protect the website structure, allowing attackers to carry out XSS attacks.

The vulnerability of Websoft HCM’s automation software for HR processes is related to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to carry out XSS attacks by injecting specially crafted JavaScript code into HTML pages...

CVE-2024-52583 WesHacks code includes links to Leostop tracking spyware infested files

The WesHacks GitHub repository provides the official Hackathon competition website source code for the Muweilah Wesgreen Hackathon. The page schedule.html before 17 November 2024 or commit 93dfb83 contains links to Leostop, a site that hosts a malicious injected JavaScript file that occurs when...

WesHacks 安全漏洞

WesHacks is a hackathon website by the individual developer Shahm Najeeb. A security vulnerability exists in versions of WesHacks prior to 17/11/2024, which stems from the site hosting maliciously injected JavaScript files...

The vulnerability of software for training employees in information security skills, such as Antiphish, arises from the lack of protection for website structures. This allows attackers to perform cross-site scripting attacks (XSS).

The vulnerability of software for training employees in information security skills is related to the lack of measures taken to protect website structures. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting attacks XSS by injecting malicious JavaScript code...

CVE-2024-37297

CVE-2024-37297 affects WooCommerce on WordPress. An XSS flaw introduced in 8.8 can be triggered by crafting a link that injects HTML/JavaScript into classic checkout and registration forms via Sourcebuster.js, potentially allowing an attacker to hijack browser content and session data. The vulner...

PT-2024-5546 · Antiphish · Antiphish

Name of the Vulnerable Software and Affected Versions: Antiphish affected versions not specified Description: The issue is related to the lack of protection for the web page structure in the Antiphish software, which is used for training employees in information security skills. This can be...

Magento Open Source allows Cross-Site Scripting (XSS)

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse...

Popup Builder < 4.2.3 - Unauthenticated Stored XSS

Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. PoC 1 Create a popup using the plugin 2 Run the following curl command, switching $POPUPID with that popup's ID: curl --url...

PT-2023-21917

Name of the Vulnerable Software and Affected Versions Openfind Mail2000 affected versions not specified Description The issue arises from insufficient filtering of special characters in email content by the content filtering function. A remote attacker can exploit this by sending phishing emails...

PT-2023-7397 · Splunk · Splunk App For Lookup File Editing

Name of the Vulnerable Software and Affected Versions: Splunk App for Lookup File Editing versions prior to 4.0.1 Description: The issue allows a user to insert potentially malicious JavaScript code into the app, causing it to run on the user's machine. This does not require the app itself to...