CVE-2026-20111

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting XSS attack against users of the interface of an affected system. This vulnerability exists because the web-based management...

CVE-2026-23704

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life EOL, are affected by the vulnerability as well...

CVE-2026-23704

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life EOL, are affected by the vulnerability as well...

CVE-2026-23704

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life EOL, are affected by the vulnerability as well...

CVE-2026-23704

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life EOL, are affected by the vulnerability as well...

EUVD-2026-5489

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life EOL, are affected by the vulnerability as well...

CVE-2026-23704

CVE-2026-23704 affects Movable Type 7.x and 8.4.x (EOL). A non-administrative user can upload malicious files, and when an administrator or the product accesses the file, an arbitrary script may execute in the administrator’s browser. Documents from multiple sources confirm this behavior; the cor...

Movable Type 代码问题漏洞

Movable Type is a content management system developed by Movable Type Inc. There are code-related vulnerabilities in Movable Type. These vulnerabilities allow non-administrator users to upload malicious files, potentially enabling administrators’ browsers to execute arbitrary scripts...

PT-2026-6182

Name of the Vulnerable Software and Affected Versions Movable Type versions 7.x and 8.4.x Description A non-administrative user can upload malicious files. When an administrator or the product accesses these files, an arbitrary script may be executed on the administrator's browser. Recommendation...

CVE-2020-37072 Victor CMS 1.0 - 'comment_author' Persistent Cross-Site Scripting

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'commentauthor' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers...

EUVD-2026-5166

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successfu...

CVE-2026-25482

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowi...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the store endpoint. An attacker can execute arbitrary scripts in the context of users by uploading specially crafted files that are rendered without proper content validation. Remediation There is no fixed...

EUVD-2026-5177

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Ta...

CVE-2026-25488 Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories Name & Descripti...

CVE-2026-25486 Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is n...

CVE-2026-25482

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowi...

EUVD-2020-30984

60CycleCMS 2.5.2 contains a cross-site scripting XSS vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. Attackers can craft malicious URLs with XSS payloads targeting the 'etsu' and 'ltsu' parameters to execute arbitrary scripts in victim's browser...

Moodle vulnerable to Cross-site Scripting

A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting XSS vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links...

GHSA-VWHW-VP9V-Q9C9 Moodle vulnerable to Cross-site Scripting

A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting XSS vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links...