CVE-2023-53985

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in...

CVE-2023-53985

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in...

CVE-2021-47750

YouPHPTube = 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they...

CVE-2021-47750

YouPHPTube = 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they...

CVE-2020-36919

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser...

CVE-2021-47750

YouPHPTube versions up to 7.8 contain a cross-site scripting (XSS) vulnerability in the redirectUri parameter of the signup page, allowing an attacker to craft signups that execute arbitrary JavaScript in victims’ browsers. The root cause is improper handling of the redirectUri in the signup flow...

PT-2026-2372

Name of the Vulnerable Software and Affected Versions Testa version 3.5.1 Description The software contains a reflected cross-site scripting issue in the login.php file. Specifically, the redirect parameter is susceptible to malicious script injection. An attacker can craft a specially encoded...

PT-2026-2417

Name of the Vulnerable Software and Affected Versions Zippy CRM version 6.5.4 Description The software contains a reflected cross-site scripting issue that enables attackers to inject malicious scripts via unvalidated input parameters. Attackers can submit crafted payloads in manual insertion...

CVE-2026-22804

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting XSS vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. Thi...

CVE-2026-22813

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response...

CVE-2026-22804 Termix has a Stored XSS in File Manager leading to Local File Inclusion (LFI) in Electron and Session Hijacking in Browser

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting XSS vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. Thi...

PT-2026-2316

Name of the Vulnerable Software and Affected Versions OpenCode versions prior to 1.1.10 Description The software is an open source AI coding agent. The markdown renderer used for responses from large language models inserts arbitrary HTML into the Document Object Model DOM without sanitization...

CVE-2026-21871

NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push or ui.navigate.history.replace. These helpers are documented as History API wrappers for updating the browser URL...

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

A Cross-Site Scripting XSS vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG elements as a Resource URL context. In a standard security model,...

CVE-2023-49258

User browser may be forced to execute JavaScript and pass the authentication cookie to the attacker leveraging the XSS vulnerability located at "/gui/terminaltool.cgi" in the "data" parameter...

CVE-2023-45958

Thirty Bees Core v1.4.0 was discovered to contain a reflected cross-site scripting XSS vulnerability via the backuppagination parameter at /controller/AdminController.php. This vulnerability allows attackers to execute arbitrary JavaScript in the web browser of a user via a crafted payload...

CVE-2023-31415

Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of t...

CVE-2023-40617

A reflected cross-site scripting XSS vulnerability in OpenKnowledgeMaps Head Start 7 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'file' parameter in 'displayPDF.php'...

CVE-2023-40618

A reflected cross-site scripting XSS vulnerability in OpenKnowledgeMaps Head Start versions 4, 5, 6, 7 as well as Visual Project Explorer 1.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'service' parameter in...

CVE-2018-12299

Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via uploaded file names...