2324 matches found
CVE-2026-49241
The CVE concerns the Angular Language Service VS Code Extension (pre-21.2.4). It reads custom tsdk paths from workspace settings without Workspace Trust checks, then dynamically loads tsserverlibrary.js from a user-specified folder during server initialization. An attacker could commit a reposito...
CVE-2026-56347
AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site...
EUVD-2026-36089
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic...
PT-2026-48498
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic...
CVE-2026-44746
An XSS vulnerability (reflected) in SAP NetWeaver Java (JDBC Test Servlet) allows an unauthenticated attacker to craft a URL containing malicious script. If a victim clicks the link, the injected input is processed during web page generation, causing the attacker’s code to run in the victim’s bro...
Adobe Experience Manager 跨站脚本漏洞
Adobe Experience Manager is a content management solution developed by Adobe Inc. in the United States. It can be used to build websites, mobile applications, and forms. This solution supports mobile content management, marketing and sales activity management, and multi-site management, among oth...
PT-2026-48064
Name of the Vulnerable Software and Affected Versions Adobe Experience Manager versions 6.5.24 and earlier Adobe Experience Manager versions LTS SP1 and earlier Adobe Experience Manager versions 2026.04 and earlier Description A stored Cross-Site Scripting XSS issue allows a low-privileged attack...
CVE-2026-5301
Stored XSS in log viewer in CoolerControl/coolercontrol-ui 4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries...
EUVD-2026-33280
A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...
QuickCMS 跨站脚本漏洞
QuickCMS is an open-source content management system developed by QuickCMS. QuickCMS has a cross-site scripting vulnerability. This vulnerability stems from an insecure HTTP-based plugin acquisition mechanism that makes it vulnerable to cross-site scripting attacks. Malicious attackers can...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the CodeExtension::fileExcerpt function in WebProfiler. An attacker can execute arbitrary JavaScript code in the context of affected users by sending a specially crafted non-PHP files with \n that avoids HTM...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the navigateTo function when handling external redirects in server-side rendering. An attacker can execute arbitrary HTML or JavaScript in the application's origin by supplying a crafted URL containing...
Malicious code in jest-expect (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
CVE-2026-25789
Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the...
CVE-2026-27682
Due to a reflected cross-site scripting XSS vulnerability in SAP NetWeaver Application Server ABAP Applications based on Business Server Pages, an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the...
CVE-2026-27682
SAP NetWeaver Application Server ABAP (Apps based on Business Server Pages) is affected by a reflected XSS vulnerability. An unauthenticated attacker can craft a URL with an unprotected parameter; if a user clicks the link, the injected input is processed during web page generation, leading to ex...
CVE-2025-70842
A Stored Cross-Site Scripting XSS vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who...
CVE-2025-70842
FluentCMS 1.2.3 is affected in its File Management module by a Stored XSS vulnerability. An authenticated administrator can upload crafted SVG files containing malicious JavaScript, and the injected script executes in the browser of any user who accesses the direct URL to the image, including una...
CVE-2021-47936
OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system...
PT-2026-39491
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date created, date from, date to, and created at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET reques...