Lucene search
K

6751 matches found

Nuclei
Nuclei
added 2 hours ago12 views

WP DeskLite - Reflected XSS

WP DeskLite WordPress plugin through 1.0.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12724 info: name: WP DeskLite - Reflected XSS...

6.1CVSS6AI score0.00521EPSS
Exploits1References2
Nuclei
Nuclei
added 2 hours ago71 views

Mitel ShoreTel 19.46.1802.0 Devices - Cross-Site Scripting

Mitel ShoreTel 19.46.1802.0 devices and their conference component are vulnerable to an unauthenticated attacker conducting reflected cross-site scripting attacks via the PATHINFO variable to index.php due to insufficient validation for the timezone object in the HOMEMEETING& page. id:...

6.1CVSS6.3AI score0.15987EPSS
Exploits3References5
Nuclei
Nuclei
added 2 hours ago11 views

VDO.Ninja - DOM-Based Cross-Site Scripting

VDO.Ninja 28.0 to 28.3 contains a reflected XSS caused by improper sanitization of the room parameter in examples/control.html, letting remote attackers execute scripts, exploit requires crafted URL. id: CVE-2025-62613 info: name: VDO.Ninja - DOM-Based Cross-Site Scripting author: 0xAkoko severit...

6.9CVSS6AI score0.01099EPSS
Exploits0References3
Nuclei
Nuclei
added 2 hours ago30 views

Odoo <= 15.0 - Cross-Site Scripting

A cross-site scripting XSS vulnerability in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote attackers to inject arbitrary web scripts into the browser of a victim via a crafted link. This issue could lead to the execution of malicious scripts in the context of t...

6.5CVSS7AI score0.0141EPSS
Exploits0References3
Nuclei
Nuclei
added 2 hours ago24 views

Liferay Portal & DXP - Cross-Site Scripting

Liferay Portal 7.4.0 through 7.4.3.133 and Liferay DXP 2024.Q1.1 through 2025.Q1.4 contain a reflected XSS caused by improper sanitization in entrycoverimagecaption.jsp, letting remote non-authenticated attackers inject JavaScript. id: CVE-2025-4576 info: name: Liferay Portal & DXP - Cross-Site...

6.9CVSS6AI score0.00588EPSS
Exploits0References2
Nuclei
Nuclei
added 2 hours ago8 views

Heimdall Application Dashboard < 2.7.3 - Reflected XSS

LinuxServer.io Heimdall 2.7.3 contains a stored XSS caused by improper sanitization of the "q" parameter, letting remote attackers execute scripts, exploit requires crafted input. id: CVE-2025-54597 info: name: Heimdall Application Dashboard 2.7.3 - Reflected XSS author: 0xAkoko severity: medium...

7.2CVSS6AI score0.00565EPSS
Exploits0References3
NVD
NVD
added 2 days ago5 views

CVE-2026-6896

GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary scripts in another user's browser...

8.7CVSS0.00348EPSS
Exploits0References3
NVD
NVD
added 2 days ago5 views

CVE-2026-13320

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to execute arbitrary scripts in another user's browser session due to improper...

7.3CVSS0.003EPSS
Exploits0References3
CVE
CVE
added 2 days ago9 views

CVE-2026-59929

Mistune is a Python Markdown parser. CVE-2026-59929 affects the safe_url filter in src/mistune/renderers/html.py prior to version 3.3.0, which blocks only javascript:, vbscript:, file:, and data: schemes. This allowed legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha...

6.1CVSS6AI score0.00191EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-59929 Mistune renderers/html.safe_url: HARMFUL_PROTOCOLS list misses legacy and chained schemes that historically chain to `javascript:` execution

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safeurl filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:...

6.1CVSS0.00191EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56615

Name of the Vulnerable Software and Affected Versions GitLab EE versions 13.11 through 18.11.6 GitLab EE versions 19.0 through 19.0.3 GitLab EE versions 19.1 through 19.1.1 Description An issue exists where improper sanitization of user-supplied input could allow an authenticated user with...

8.7CVSS6AI score0.00348EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/02 7:44 p.m.34 views

CVE-2026-59102 Forgejo < 15.0.3 - Stored XSS via Actions Run Full Name Rendering

Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULTSHOWFULLNAME option is enabled,...

5.4CVSS0.00199EPSS
Exploits0References4
CVE
CVE
added 2026/07/02 4:52 p.m.9 views

CVE-2026-8699

CVE-2026-8699 reports a stored Cross-Site Scripting (XSS) vulnerability in the Archer C5 web-based management interface (v6.8). Root cause: insufficient server-side validation and lack of proper output encoding for a specific input field, allowing an admin-level attacker to inject crafted HTML/JS...

7CVSS6AI score0.00177EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 5:16 p.m.5 views

CVE-2026-34096

Guardian language-system fails to sanitize the name GET parameter before outputting it into an HTML input value attribute in designer.php line 57. An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session...

4.8CVSS0.00147EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 4:21 p.m.8 views

EUVD-2026-41071

Guardian language-system passes the id GET parameter directly into a PHP exec call in speechtext.php line 18 without sanitization: exec"php jobs/speechaudiotext.php ".$loginsession." ".$GET'id'." ...". No authentication is required. An unauthenticated remote attacker can append shell...

9.8CVSS6.1AI score0.00537EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 3:53 p.m.10 views

CVE-2026-34096

Guardian Language-System XSS via name Parameter in designer.php. Root cause: failure to sanitize the name GET parameter before output into an HTML input value attribute (designer.php: line 57). Impact: authenticated attacker can craft a URL with script tags that execute in the victim’s browser se...

4.8CVSS5.8AI score0.00147EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/01 3:53 p.m.7 views

CVE-2026-34096

Guardian language-system fails to sanitize the name GET parameter before outputting it into an HTML input value attribute in designer.php line 57. An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session...

4.8CVSS5.8AI score0.00147EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/01 3:53 p.m.33 views

CVE-2026-34096 Guardian Language-System XSS via name Parameter in designer.php

Guardian language-system fails to sanitize the name GET parameter before outputting it into an HTML input value attribute in designer.php line 57. An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session...

4.8CVSS0.00147EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.4 views

PT-2026-54861

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.22 Description A stored cross-site scripting issue exists where a user with author-level control panel permissions can embed a malicious JavaScript payload within an entry title. The execution occurs wh...

5.9CVSS6AI score0.00412EPSS
Exploits0References6
NVD
NVD
added 2026/06/30 11:17 p.m.7 views

CVE-2026-28322

SolarWinds Database Performance Analyzer was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution...

5.6CVSS0.00222EPSS
Exploits0References3
Rows per page
Query Builder