CVE-2025-14797

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of htmlspecialcharsdecode on taxonomy term names before output, which decodes HTML entities...

GHSA-W7RQ-FGX4-4XCM LavaLite CMS affected by a stored cross-site scripting vulnerability

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...

CVE-2021-47892

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution...

CVE-2018-25116

MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution...

CVE-2021-47897

CVE-2021-47897 affects PEEL Shopping 9.3.0. A stored cross-site scripting vulnerability exists in the address parameter of the change_params.php script, allowing injected JavaScript that runs in the user’s browser on interaction with the address box. CVSS metrics show a high/severe impact under d...

CVE-2021-47892 PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution...

CVE-2018-25116

The CVE-2018-25116 entry pertains to MyBB Thread Redirect Plugin version 0.2.1, which is documented to contain a cross-site scripting (XSS) vulnerability in the custom text input field for thread redirects. Attackers can inject SVG scripts that execute when other users view the thread, enabling a...

CVE-2026-0788

ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this...

CVE-2026-23499

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these...

EUVD-2026-4135

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI key...

CVE-2025-27380 HTML Injection Leading to Script Execution in Altium Enterprise Server

HTML injection in Project Release in Altium Enterprise Server AES 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content...

CVE-2025-27380

CVE-2025-27380 affects Altium Enterprise Server (AES) 7.0.3. In the Project Release feature, HTML content can be crafted to trigger an HTML injection, allowing an authenticated attacker to execute arbitrary JavaScript in the victim’s browser. The vulnerability stems from unsafe handling of HTML i...

EUVD-2026-3774

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or...

CVE-2026-23499

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these...

EUVD-2026-3775

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these...

CVE-2021-47851

Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script...

CVE-2025-54853

A reflected cross-site scripting xss vulnerability exists in the modifyUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

Saleor code issue vulnerabilities

Saleor Commerce is an open-source interface software developed by Saleor Commerce. Versions of Saleor Commerce from 3.0.0 to 3.20.108, as well as versions before 3.21.43 and 3.22.27, had code vulnerabilities. These vulnerabilities stemmed from allowing authenticated employee users or applications...

CVE-2026-21642

HackerOne community member Patrick Lang 7yr has reported a reflected XSS vulnerability in the banner-acl.php and channel-acl.php scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is...

CVE-2026-21642

HackerOne community member Patrick Lang 7yr has reported a reflected XSS vulnerability in the banner-acl.php and channel-acl.php scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is...