CVE-2026-7209

The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's qcopd-directory shortcode in all versions up to, and including, 8.9.2. This is due to insufficient input sanitization and output escaping on user supplied attributes such as titlefontsize...

CVE-2026-32124 OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS)

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions codetext that are rendered in the front end e.g. DataTables without HTML escaping. If an administrator or user...

CVE-2026-1901

The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Stored Cross-Site Scripting (XSS)

labelstudio is vulnerable to stored cross-site scripting XSS.The vulnerability is due to insufficient sanitization of user-controlled input in the customhotkeys functionality, which allows an authenticated attacker or one who tricks a user/admin to inject malicious JavaScript that executes in oth...

CVE-2022-0535

The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2025-64827

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-40890 Stored Cross-Site Scripting (XSS) in Dashboards in Guardian/CMC before 25.4.0

A Stored Cross-Site Scripting vulnerability was discovered in the Dashboards functionality due to improper validation of an input parameter. An authenticated low-privilege user can craft a malicious dashboard containing a JavaScript payload and share it with victim users, or a victim can be...

CVE-2025-52624

A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0...

EUVD-2016-9207

Malware in sbrugna...

EUVD-2020-19221

Malware in sbrugna...

EUVD-2022-15987

Malicious code in bioql PyPI...

EUVD-2025-18180

Malicious code in bioql PyPI...

EUVD-2024-49927

Malicious code in bioql PyPI...

CVE-2025-55166 svg-sanitizer By-Passing Attribute Sanitization

savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. Thi...

PT-2025-32422 · Workos · Authkit

Name of the Vulnerable Software and Affected Versions: @workos-inc/authkit-remix versions 0.14.1 and below Description: The AuthKit library for Remix exposed sensitive authentication artifacts – specifically sealedSession and accessToken – by returning them from the authkitLoader, causing them to...

Updated rootcerts, nss & firefox packages fix security vulnerabilities

CVE-2025-6424: A use-after-free in FontFaceSet resulted in a potentially exploitable crash. CVE-2025-6425: An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private...

Mozilla Thunderbird < 128.12

The version of Thunderbird installed on the remote Windows host is prior to 128.12. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-55 advisory. - The executable file warning did not warn users before opening files with the terminal extension. This bug only...

CVE-2025-49189 Cookie missing HttpOnly flag

The HttpOnlyflag of the session cookie "@@" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies...

CVE-2023-0021

Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. These endpoints are normally exposed...

CVE-2023-2757

The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and output escaping. This...