CVE-2026-33209

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting XSS vulnerability exists in the returnto query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is execute...

CVE-2026-33395 Discourse has stored click‑based XSS via Graphviz SVG javascript: links

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting XSS vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. F...

CVE-2026-32119 OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin library/js/SearchHighlight.js allows an authenticated user with encounter form write access to inject arbitrary...

EUVD-2026-13113

Location Aware Sensor System by Linkit ONE, up to commit f06bd20 2023-04-26, contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious U...

CVE-2026-32843

Location Aware Sensor System by Linkit ONE, up to commit f06bd20 2023-04-26, contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious U...

CVE-2026-1276

IBM QRadar SIEM is vulnerable to cross-site scripting under CVE-2026-1276. The IBM bulletin specifies that an authenticated user could embed arbitrary JavaScript in the Web UI, potentially leading to credentials disclosure within a trusted session. Affected: QRadar 7.5.0 up to UP14 IF05. Remediat...

PT-2026-26333

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin library/js/SearchHighlight.js allows an authenticated user with encounter form write access to inject arbitrary...

PT-2026-26473

Summary WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The clean title field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to...

GHSA-7RCV-55MJ-CHG7 Statamic has Stored XSS via SVG Sanitization Bypass

Impact Stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. Patches This has been fixed in 5.73.14 and 6.7.0...

CVE-2026-30048

A stored cross-site scripting XSS vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when t...

Linux Distros Unpatched Vulnerability : CVE-2026-1090

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowe...

Cross-site Scripting (XSS)

Overview jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Cross-site Scripting XSS in jspdf.js, when user-controlled values are passed to the options argument, then included unsanitized in the generated HTML and opened by another user. An attack...

Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...

EUVD-2026-12458

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. Attackers can inject malicious scripts through the System Status interface that execut...

EUVD-2025-208699

Raytha CMS is vulnerable to Stored XSS via FieldValues1.Value parameter in post editing functionality. Authenticated attacker with permissions to edit posts can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version...

CVE-2025-69237 Stored XSS in Raytha CMS

Raytha CMS is vulnerable to Stored XSS via FieldValues0.Value parameter in page creation functionality. Authenticated attacker with permissions to create content can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in versi...

Qool CMS 跨站脚本漏洞

Qool CMS is a content management system developed by basdog22. Qool CMS has a cross-site scripting vulnerability, which stems from improper cleaning of POST parameters in multiple management scripts. This vulnerability could allow attackers to inject malicious JavaScript code to execute arbitrary...

CVE-2013-20006

Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email',...

PT-2026-25715

Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email',...

Cross-site Scripting (XSS)

Craft CMS is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insufficient sanitization of return URLs using striptags without validating URL schemes, which allows an attacker to inject malicious JavaScript via crafted URLs...