CVE-2026-44568

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. An admi...

EUVD-2026-30610

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. An admi...

CVE-2021-47968

Podcast Generator 3.1 is vulnerable to persistent cross-site scripting, allowing authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the longdescription parameter. Attackers can inject script tags through episode creation or editing requests to execute...

CVE-2021-47967 PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, o...

CVE-2026-23695

Cockpit CMS

PT-2026-41347

Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long description parameter. Attackers can inject script tags through episode creation or editing requests ...

PT-2026-41341

Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edit user endpoint, which execute in t...

CVE-2025-12669

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitizatio...

CVE-2025-12669

Removed by vendor...

EUVD-2026-30215

The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the updategallerydata function and improper output escaping in the galleryinit function. The...

PT-2026-40849

The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update gallery data function and improper output escaping in the gallery init function. The...

PT-2026-40852

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 15.11 through 18.9.6 GitLab CE/EE versions 18.10 through 18.10.5 GitLab CE/EE versions 18.11 through 18.11.2 Description An issue exists where improper input sanitization allows an authenticated user to inject HTML and...

VulnCheck KEV: CVE-2026-47100

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject...

CVE-2026-44369

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

CVE-2020-37225

Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings. Attackers can submit malicious payloads through textarea and input elements in t...

CVAT.ai CVAT 安全漏洞

CVAT.ai CVAT is an open-source data processing tool developed by CVAT.ai. There are security vulnerabilities in the CVAT.ai CVAT versions from 2.5.0 to 2.63.0. These vulnerabilities stem from attacks where attackers can create or edit annotation guides on tasks, and add malicious JavaScript code...

PT-2026-40617

WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design tab textfields. Attackers can inject JavaScript code through fields like 'Text for block toggle' a...

PT-2026-40626

Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings. Attackers can submit malicious payloads through textarea and input elements in t...

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields process. An attacker can execute arbitrary JavaScript in the context of another user's browser session by injecting malicious...

CVE-2026-41456

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit...