20062 matches found
CVE-2026-40563 Apache Atlas: Script injection allows access to unintended data
Description: Improper Control of Generation of Code 'Code Injection' vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data Affect...
WordPress addfreespace plugin <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability
Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin addfreespace versions = 0.1.3...
PT-2026-36788
Name of the Vulnerable Software and Affected Versions Apache Atlas versions 0.8 through 2.4.0 Description An improper control of code generation issue exists in the DSL search endpoint, which accepts user-supplied query strings. An attacker can alter Gremlin traversal logic using grammar-allowed...
Astra Linux – Vulnerability in Chromium
Insufficient data validation in the New Tab Page of Google Chrome prior to 95.0.4638.69 allowed a remote attacker to inject arbitrary scripts or HTML into a new browser tab through a crafted HTML page...
dvwa-xss
Cross-Site Scripting XSS Attack & Analysis — DVWA A hands-o...
CVE-2026-4790
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customsvg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible fo...
CVE-2026-5109 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Product Option
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...
CVE-2026-6916
The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sgcontentnumberprefix' parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output...
PT-2026-36573
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...
EUVD-2024-55564
Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...
CVE-2026-6127 Elementor Website Builder <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the elementordata meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the...
EUVD-2026-26479
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the elementordata meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the...
CVE-2026-3346
IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...
GHSA-537J-GQPC-P7FQ n8n Vulnerable to XSS via MCP OAuth client
Impact An unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute...
EUVD-2018-21830
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browser...
CVE-2026-39712
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through = 5.4.3...
CVE-2026-2902
The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontendrewrite' function's 'WPMETEORNWPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. Th...
PT-2026-35992
Name of the Vulnerable Software and Affected Versions MyBB Recent threads version 17.0 Description A persistent cross-site scripting issue allows attackers to inject malicious scripts by creating threads with crafted subject lines. By using script tags in the subject parameter, an attacker can...
CVE-2025-56536
CVE-2025-56536 is a stored XSS in OpenNebula v6.10.0.1 where an attacker can inject payload via the user information parameter. The vulnerability affects OpenNebula 6.10.0.1 and is tracked with a CVSSv3.1 base score of 6.1 (Medium), attack vector Network, required user interaction, and changed sc...
Cross-site Scripting (XSS)
Overview phpoffice/phpspreadsheet is a Spreadsheet engine that Read, Create and Write Spreadsheet documents in PHP . Affected versions of this package are vulnerable to Cross-site Scripting XSS in the HTML generation process when a cell uses a custom number format containing the @ text placeholde...