CVE-2025-36408

IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-36408

CVE-2025-36408 affects IBM ApplinX 11.1. It is a stored cross-site scripting vulnerability, allowing an authenticated user to embed arbitrary JavaScript in the Web UI and potentially disclose credentials within a trusted session. Supported documents consistently identify the affected product/vers...

CVE-2025-36066

IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 (5.2.0.00–5.2.0.12) is affected by a cross-site scripting flaw in the Web UI that allows an unauthenticated attacker to inject arbitrary JavaScript and potentially disclose credentials within a trusted session. Affected produc...

CVE-2026-1181

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing CORS policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could...

PT-2026-3625

IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

MiracleLinux 4 : firefox-68.5.0-2.0.1.AXS4 (AXSA:2020-4471:05)

The remote MiracleLinux 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2020-4471:05 advisory. Mozilla: Missing bounds check on shared memory read in the parent process CVE-2020-6796 Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox...

Cross-site Scripting (XSS)

opencode-ai is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of LLM-generated markdown that allows arbitrary HTML and JavaScript to be injected into the DOM, which allows an attacker to execute malicious scripts in the local web interface origin...

📄 ahu.mlsp.government.bg Cross Site Scripting

ahu.mlsp.government.bg suffers from a cross site scripting issue. The researcher has waited over a year after reporting this to make public, so hopefully this will encourage them to fix it. Titles: ahu.mlsp.government.bg-XSS-Reflected-CRITICAL Cross-site scripting reflected Author: nu11secur1ty...

SUSE CVE-2026-21483

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user Super Admin views or previews this content, the...

Cross-site Scripting (XSS)

Overview cakephp/cakephp is a rapid development framework for PHP which uses commonly known design patterns like Associative Data Mapping, Front Controller, and MVC. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the PaginatorHelper::limitControl function. An...

CVE-2026-22867

LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacke...

CVE-2025-13859

The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savecustomizationsettings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2021-47808

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page...

CVE-2021-47779

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the...

CVE-2021-47808

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page...

GHSA-6738-R8G5-QWP3 svelte vulnerable to Cross-site Scripting

Summary An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML. Details When using the hydratable function, the first argument is used as a k...

svelte vulnerable to Cross-site Scripting

Summary An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML. Details When using the hydratable function, the first argument is used as a k...

EUVD-2026-2807

The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savecustomizationsettings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-13859

The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savecustomizationsettings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-22637

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...