CVE-2026-1915

CVE-2026-1915 concerns the WordPress plugin Simple Plyr (

GHSA-W5CR-2QHR-JQC5 Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site

Summary A Reflected Cross-Site Scripting XSS vulnerability was discovered in the AI Playground's OAuth callback handler. The errordescription query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the contex...

CVE-2025-70095

A cross-site scripting XSS vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload...

Cross-site Scripting (XSS)

SCEditor is vulnerable to Cross-site Scripting XSS. The vulnerability is due to lack of sanitization of user-controlled configuration options passed to sceditor.create, which allows an attacker to inject malicious scripts and execute arbitrary JavaScript in the application context...

CVE-2026-25868

MiniGal Nano version 0.3.5 and prior contain a reflected cross-site scripting XSS vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply...

Incorrect Behavior Order: Validate Before Canonicalize

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize via the splitPos function. An attacker can cause unintended script execution by crafting a request path containing specific multi-byte Unicode characters, which manipulates the...

Incorrect Behavior Order: Validate Before Canonicalize

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize via the splitPos function. An attacker can cause unintended script execution by crafting a request path containing specific multi-byte Unicode characters, which manipulates the...

Incorrect Behavior Order: Validate Before Canonicalize

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize via the splitPos function. An attacker can cause unintended script execution by crafting a request path containing specific multi-byte Unicode characters, which manipulates the...

BIT-MOODLE-2025-67855 Mooodle: mooodle: information disclosure and script execution via reflected cross-site scripting

A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting XSS vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links...

PT-2026-7835

Name of the Vulnerable Software and Affected Versions Wix affected versions not specified Description A Reflected Cross-Site Scripting XSS issue exists in the Wix web application. The vulnerability is located in the SVG image upload functionality at the...

CVE-2026-25868

MiniGal Nano version 0.3.5 and prior contain a reflected cross-site scripting XSS vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the document upload process. An attacker can execute arbitrary scripts in the context of another user by uploading files with specially crafted file names containing embedded scripts. Details Cross-site...

CVE-2025-13064

A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with...

CVE-2025-70297

A stored cross-site scripting XSS vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser...

XSS Vulnerability in IBM Cloud Pak for Business Automation

IBM Cloud Pak for Business AutomationAn integrated software component that delivers design, build, run, and automation services to quickly scale your programs and fully execute and implement automation strategies. An XSS vulnerability exists in IBM Cloud Pak for Business Automation, which can be...

CVE-2025-66606

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly encode URLs. An attacker could tamper with web pages or execute malicious scripts. The affected products and versions are as follows: FAST/TOOLS Packages: RVSVRN, UNSVRN, HMIWEB,...

CVE-2025-66601

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not specify MIME types. When an attacker performs a content sniffing attack, malicious scripts could be executed. The affected products and versions are as follows: FAST/TOOLS Packages: RVSVR...

CVE-2025-13064

A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with...

CVE-2025-13064

A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with...

CVE-2025-13064

A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with...