PT-2026-39491

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date created, date from, date to, and created at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET reques...

CVE-2026-20172

A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email ECE could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent. This...

Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of taxonomy field values in the admin panel, where user-supplied input is output using the |raw filt...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the DataTable widget when a query parameter is rendered without proper output escaping. An attacker can execute arbitrary scripts in the context of the user's browser by tricking a user into visiting a craft...

CVE-2026-27243

Adobe Connect (versions 2025.3, 12.10 and earlier) contains a reflected Cross-Site Scripting (XSS) vulnerability. An attacker can lure a user to a crafted URL referencing a vulnerable page, enabling arbitrary JavaScript execution in the user’s browser with high impact to confidentiality and integ...

CVE-2026-6179 Stored Cross Site Scripting in NightWolf Penetration Testing Platform

Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser...

CVE-2026-4895

The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitization and output escaping in the gspbgreenShiftblockscriptassets function. The function uses...

parisneo/lollms vulnerable to stored XSS in the social feature

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

CVE-2026-1115

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

PT-2026-31885

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0 Description A Stored Cross-Site Scripting XSS vulnerability exists in the social feature of parisneo/lollms. The vulnerability is located in the create post function within backend/routers/social/ init...

CVE-2026-5301 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui

Stored XSS in log viewer in CoolerControl/coolercontrol-ui 4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries...

GHSA-PQ95-94C9-J987 yaffa vulnerable to Cross Site Scripting

yaffa v2.0.0 is vulnerable to Cross Site Scripting XSS. An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page...

Bludit 跨站脚本漏洞

Bludit is an open-source, lightweight blog content management system developed by Bludit. Versions 3.17.2 and 3.18.0 of Bludit contain cross-site scripting vulnerabilities. These vulnerabilities stem from a storage-based cross-site scripting flaw in the page creation function. This allows...

CVE-2018-25248 MyBB Downloads Plugin 2.0.3 Persistent XSS via downloads.php

MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators...

CVE-2018-25247

The CVE-2018-25247 entry concerns MyBB Like Plugin 3.0.0, which is vulnerable to cross-site scripting via user profiles. The root cause is unvalidated subject content in posts/threads, allowing an attacker to craft post subjects containing script tags that execute when other users view the attack...

Endian Firewall 跨站脚本漏洞

Endian Firewall is a network security firewall system from Endian. A cross-site scripting vulnerability exists in the Endian Firewall NAME parameter, which originates from improperly cleaning up the input of the NAME parameter in /cgi-bin/uplinkeditor.cgi, and can be exploited by an attacker to...

CVE-2026-1877

The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'apsoptionspage' function. This makes it possible for unauthenticated attackers to update settings and inject malicio...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the cleanupXss function when sanitizing HTML content with conflicting htmLawed configuration options. An attacker can execute arbitrary JavaScript in the context of the affected application by injecting...

CVE-2026-33559

WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user...

EUVD-2026-16553

WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user...