5146 matches found
Limit Login Attempts - Stored Cross-Site Scripting
Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...
KodExplorer - Cross-Site Scripting
KodExplorer is susceptible to a reflected cross-site scripting XSS vulnerability in the file view functionality.The vulnerability exists in app/template/api/view.html where user-supplied input in the 'path' parameter is directly echoed without proper sanitization.This allows attackers to inject...
XWiki >= 3.4-milestone-1 - Cross-Site Scripting
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as:...
CVE-2026-44752
SAP NetWeaver Application Server Java allows an unauthenticated attacker to inject malicious JavaScript through crafted URLs. When a victim accesses such a URL, the script executes in the user's browser, allowing the attacker to access sensitive session information and modify non-sensitive data...
CVE-2026-44752
CVE-2026-44752 affects SAP NetWeaver Application Server Java (often noted with the Configuration Wizard). The vulnerability is a Cross-Site Scripting (XSS) issue where an unauthenticated attacker can inject malicious JavaScript through crafted URLs. When a victim loads such a URL, the script runs...
EUVD-2026-43587
SAP NetWeaver Application Server Java allows an unauthenticated attacker to inject malicious JavaScript through crafted URLs. When a victim accesses such a URL, the script executes in the user's browser, allowing the attacker to access sensitive session information and modify non-sensitive data...
CVE-2026-58500
MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector...
CVE-2026-15552 Ragic|Enterprise Cloud Database - Stored Cross-Site Scripting
Enterprise Cloud Database developed by Ragic has a Stored Cross-Site Scripting vulnerability, allowing unauthenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load...
EUVD-2026-43270
Enterprise Cloud Database developed by Ragic has a Stored Cross-Site Scripting vulnerability, allowing unauthenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load...
PT-2026-57559
Name of the Vulnerable Software and Affected Versions luci-app-upnp affected versions not specified Description Stored cross-site scripting occurs when unauthenticated LAN clients inject JavaScript through UPnP IGD AddPortMapping SOAP requests. The issue arises because the NewPortMappingDescripti...
CVE-2026-41877 Stored XSS in R-SOFT DMS
R-SOFT DMS is vulnerable to Stored XSS in file upload functionality. Authenticated attacker can inject arbitrary HTML and JS into the name of the file being uploaded, which will be executed when visiting file list or upload status by other users. This issue was fixed in version v3.19-2832 and...
CVE-2026-55424
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content...
CVE-2026-55424
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content...
CVE-2026-13461
When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange version 7.0.7 app. The injection of specific JavaScript function calls allows the attacker to escape the WebView sandbox and perform a number of dangerous actions on the user's device...
CVE-2026-13461
CVE-2026-13461 affects PayRange Android app v7.0.7 where, when paired with an SSL-bypass vulnerability, JavaScript can be injected into the WebView, allowing sandbox escape and dangerous actions on the user device. The underlying issue is WebView JavaScript injection enabled by a compromised TLS ...
EUVD-2026-42635
When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange version 7.0.7 app. The injection of specific JavaScript function calls allows the attacker to escape the WebView sandbox and perform a number of dangerous actions on the user's device...
CVE-2026-13461 PayRange version 7.0.7 contains a JavaScript injection vulnerability
When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange version 7.0.7 app. The injection of specific JavaScript function calls allows the attacker to escape the WebView sandbox and perform a number of dangerous actions on the user's device...
PT-2026-57001
Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.6.0 Discourse versions prior to 2026.5.1 Discourse versions prior to 2026.4.2 Discourse versions prior to 2026.1.5 Description A topic featured link is not sufficiently normalized and escaped before being...
PayRange Android app version 7.0.7 contains multiple vulnerabilities
Overview PayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store. Description A...
CVE-2026-57439
CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts proto as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript in...