Lucene search
K

852 matches found

CVE
CVE
added 6 hours ago11 views

CVE-2026-62378

RustFS Console is affected in versions 0.1.7–0.1.10. The vulnerability lies in the components/object/preview-modal.tsx and components/object/pdf-viewer.tsx extension-based PDF preview path, which can render HTML content uploaded as .pdf, enabling a stored XSS in the management console. This can l...

9CVSS6AI score
Exploits0References3
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-43153

The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the contextblogmodalpopup. This makes it possible for unauthenticated attackers to extract the content of password-protected posts...

5.3CVSS6.1AI score0.00239EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago39 views

CVE-2026-6801 Context Blog <= 1.3.5 - Unauthenticated Sensitive Information Exposure via 'postID' Parameter

The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the contextblogmodalpopup. This makes it possible for unauthenticated attackers to extract the content of password-protected posts...

5.3CVSS0.00239EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/07 5:30 p.m.9 views

EUVD-2026-42063

Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components...

8.4CVSS5.9AI score0.00147EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.7 views

PT-2026-56224

Name of the Vulnerable Software and Affected Versions Joomla! Core affected versions not specified Description Lack of escaping in modalreturn layouts of various components allows for Cross-Site Scripting XSS, a technique where malicious scripts are injected into trusted websites. Recommendations...

8.4CVSS6.1AI score0.00147EPSS
Exploits0References5
CVE
CVE
added 2026/07/02 7:38 p.m.20 views

CVE-2026-58579

RAGFlow before 0.26.3 stores an agent pipeline (DSL) node name without sanitization. The update endpoint normalizes DSL via JSON serialization but preserves the node name, and the dataflow-result UI renders it with dangerouslySetInnerHTML while i18next escapeValue is false, allowing an authentica...

5.4CVSS5.9AI score0.00182EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/02 7:38 p.m.37 views

CVE-2026-58579 RAGFlow < 0.26.3 - Stored Cross-Site Scripting via Agent Pipeline Node Name

RAGFlow before 0.26.3 stores an agent pipeline DSL node name without sanitization: the agent update endpoint normalizes the submitted DSL via normalizedsl, which only performs JSON serialization validation and preserves the node name verbatim. The dataflow-result web UI then renders that name int...

5.4CVSS0.00182EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/07/02 7:38 p.m.10 views

CVE-2026-58579 RAGFlow < 0.26.3 - Stored Cross-Site Scripting via Agent Pipeline Node Name

RAGFlow before 0.26.3 stores an agent pipeline DSL node name without sanitization: the agent update endpoint normalizes the submitted DSL via normalizedsl, which only performs JSON serialization validation and preserves the node name verbatim. The dataflow-result web UI then renders that name int...

5.4CVSS6.1AI score0.00182EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/15 12:0 p.m.32 views

CVE-2016-20073 Answer My Question 1.3 Plugin WordPress SQL Injection via modal.php

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' POST parameter. Attackers can submit crafted SQL statements to the modal.php endpoint to extract...

8.8CVSS0.0027EPSS
Exploits0References4
NVD
NVD
added 2026/06/12 1:16 p.m.14 views

CVE-2026-49347

Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the...

5.3CVSS0.00235EPSS
Exploits0References2
NVD
NVD
added 2026/06/06 2:16 a.m.14 views

CVE-2026-8901

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This make...

7.2CVSS0.00314EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/06/05 7:35 p.m.11 views

CVE-2026-5938

Improper control flow management allows a crafted document action chain to cause modal dialog reentry on the main thread, resulting in UI freeze and denial of service...

5.5CVSS5.5AI score0.00103EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:26 p.m.11 views

CVE-2026-40590

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already...

4.3CVSS5.5AI score0.00214EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.9 views

CVE-2026-40873

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

8.9CVSS5.6AI score0.00325EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/28 8:13 p.m.12 views

CVE-2026-42877

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...

5.4CVSS5.9AI score0.00165EPSS
Exploits0References1
NVD
NVD
added 2026/05/27 8:16 p.m.15 views

CVE-2026-42877

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...

5.4CVSS0.00165EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 6:37 p.m.48 views

CVE-2026-42877 FacturaScripts: Stored XSS via product reference in sales/purchases

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...

5.4CVSS0.00165EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:37 p.m.12 views

CVE-2026-42877

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...

5.4CVSS5.9AI score0.00165EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/27 6:37 p.m.17 views

CVE-2026-42877

CVE-2026-42877 describes a stored XSS in FacturaScripts where the product variant field referencia is injected into an onclick attribute in SalesModalHTML.php and PurchasesModalHTML.php without proper escaping. The vulnerability allows an authenticated user with warehouse access to create a malic...

5.4CVSS5.9AI score0.00165EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/20 3:35 p.m.5 views

Cross-site Scripting (XSS)

Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the jQuery integration for AJAX modal dialog boxes. An attacker can execute arbitrary scripts in t...

6.1CVSS5.6AI score0.00238EPSS
Exploits0References2
Rows per page
Query Builder