CVE-2026-3495 Unescaped variables during error page composition

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those...

CVE-2026-39380 Open Source Point of Sale has Stored XSS in Stock Location (Configuration)

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied throug...

CVE-2026-26281 InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting XSS vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser o...

CVE-2026-25141

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

CVE-2026-25141

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

CVE-2022-31065

BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker whose username contains malicious JavaScript, the script gets...

EUVD-2023-57450

Malicious code in bioql PyPI...

EUVD-2023-32309

Malicious code in bioql PyPI...

EUVD-2023-48098

Malicious code in bioql PyPI...

EUVD-2023-48106

Malicious code in bioql PyPI...

EUVD-2023-48110

Malicious code in bioql PyPI...

EUVD-2023-48089

Malicious code in bioql PyPI...

GHSA-4XG4-54HM-9J77 Gokapi has stored XSS vulnerability in friendly name for API keys

Impact By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. With the affected versions v2.0, there was no user permission system implemented, therefore all authenticated...

CVE-2025-48495 Gokapi has stored XSS vulnerability in friendly name for API keys

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0,...

PT-2025-23498 · Gokapi · Gokapi

Name of the Vulnerable Software and Affected Versions: Gokapi versions prior to 2.0.0 Description: Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. The issue allows an authenticated user to inject JS into the API key overview by renaming the friendly...

CVE-2024-37145

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/chatflows-streaming/id endpoint. If the default configuration is used unauthenticated, an attacker may be able...

CVE-2024-36221 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...

Cross site scripting

Os Commerce is currently susceptible to a Cross-Site Scripting XSS vulnerability. This vulnerability allows attackers to inject JS through the "companyaddress" parameter, potentially leading to unauthorized execution of scripts within a user's web browser...

Cross site scripting

Os Commerce is currently susceptible to a Cross-Site Scripting XSS vulnerability. This vulnerability allows attackers to inject JS through the "stockindicationtext1" parameter, potentially leading to unauthorized execution of scripts within a user's web browser...

Cross site scripting

Os Commerce is currently susceptible to a Cross-Site Scripting XSS vulnerability. This vulnerability allows attackers to inject JS through the "countriesname1" parameter, potentially leading to unauthorized execution of scripts within a user's web browser...