CVE-2026-5506

The CVE-2026-5506 entry concerns the WordPress Wavr plugin (versions up to 0.2.6). The vulnerability is a Stored Cross-Site Scripting flaw via the plugin’s wave shortcode attributes stemming from insufficient input sanitization and output escaping. The impact allows authenticated attackers with c...

CVE-2026-3618 Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute

The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the printclmns shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The...

CVE-2026-4333

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learnpresscourses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on the 'skin' shortcode...

PT-2026-31057

The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2026-31319

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html purify validation rule to content fields during create and update operations, while the Blog...

CVE-2026-39400

Cronicle suffers a Stored XSS vulnerability in versions before 0.9.111. A non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without ...

CVE-2026-39380

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied throug...

CVE-2026-35534 ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...

Google Chrome 安全漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 147.0.7727.55 contained a security vulnerability. This vulnerability stemmed from insufficient execution of the History Navigation policy, which could allow remote attackers to inject arbitrary scripts or...

Endian Firewall remark parameter cross-site scripting vulnerability (CNVD-2026-18375)

Endian Firewall is a network security firewall system from Endian. A cross-site scripting vulnerability exists in the Endian Firewall remark parameter, which stems from improper handling of the remark parameter in /manage/ipsec/, and can be exploited by an attacker to inject malicious script and...

CVE-2026-25932

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24...

CVE-2026-2600

The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekittabtitle' parameter in the Simple Tab widget in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping on user supplied...

CVE-2018-25247

MyBB Like Plugin 3.0.0 contains a stored cross-site scripting vulnerability. Authenticated attackers can inject script payloads into post or thread subjects; when other users view a profile that displays the attacker's liked posts, the unsanitized subject is rendered, executing the script in the...

EUVD-2026-18995

The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagetitle' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2026-2437

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wtetriptax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-0737 Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the sulightbox shortcode. This makes it possib...

CVE-2026-0664

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttontext' parameter in all versions up to, and including, 1.7.1049 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-2924

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-2949 Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Box widget in versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-34779

CVE-2026-34779 affects Electron on macOS prior to patches 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8. The vulnerability arises in the AppleScript fallback path used by app.moveToApplicationsFolder(), which failed to properly handle certain characters in the application bundle path. Under specific ...