Lucene search
K

1924 matches found

Nuclei
Nuclei
added yesterday12 views

XWiki Platform Distribution Flavor Main - Cross-Site Scripting

XWiki Platform Distribution Flavor Main versions prior to 17.6.0 are vulnerable to reflected cross-site scripting XSS due to improper sanitization of user-supplied input in the extensionId parameter. An attacker can exploit this issue by injecting malicious JavaScript, which will be executed in t...

6.5CVSS6.9AI score0.00503EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday15 views

YesWiki < 4.5.4 - Cross-Site Scripting

YesWiki 4.5.4 contains a reflected cross-site scripting caused by unsanitized idformulaire parameter in /?BazaR endpoint, letting attackers steal cookies and hijack sessions, exploit requires user to click malicious link. id: CVE-2025-46550 info: name: YesWiki 4.5.4 - Cross-Site Scripting author:...

6.1CVSS5.8AI score0.00498EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2 days ago4 views

Siemens SIMATIC S7 PLC Web Server Improper Neutralization of Input During Web Page Generation (CVE-2026-25789)

Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting a modified firmware file. This would result in malicious JavaScript execution in the context of the authenticated user's...

7.2CVSS7.3AI score0.00274EPSS
Exploits0References3
EUVD
EUVD
added 6 days ago15 views

EUVD-2026-33280

Mautic has Stored Cross-Site Scripting XSS in Project Option Selector...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References2
NVD
NVD
added 6 days ago9 views

CVE-2026-8699

A stored Cross-Site Scripting XSS vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field. An attacker with administrative privilege...

7CVSS0.00177EPSS
Exploits0References1
EUVD
EUVD
added 6 days ago10 views

EUVD-2026-41407

A stored Cross-Site Scripting XSS vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field. An attacker with administrative privilege...

7CVSS6AI score0.00177EPSS
Exploits0References1
CVE
CVE
added 6 days ago8 views

CVE-2026-8699

CVE-2026-8699 reports a stored Cross-Site Scripting (XSS) vulnerability in the Archer C5 web-based management interface (v6.8). Root cause: insufficient server-side validation and lack of proper output encoding for a specific input field, allowing an admin-level attacker to inject crafted HTML/JS...

7CVSS6AI score0.00177EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added last week7 views

CVE-2026-58031

A flaw was found in Wikimedia Foundation MediaWiki. This vulnerability, categorized as an Improper Neutralization of Input During Web Page Generation Cross-site Scripting or XSS, allows a remote attacker to inject malicious scripts into web pages. When a user views an affected page, the attacker'...

4.6CVSS5.7AI score0.0023EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40434

Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in...

8.1CVSS5.8AI score0.00353EPSS
Exploits0References3
NVD
NVD
added 2026/06/30 2:16 p.m.10 views

CVE-2026-35095

KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session...

4.8CVSS0.00145EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/30 1:37 p.m.6 views

EUVD-2026-40322

KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session...

4.8CVSS5.7AI score0.00145EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/30 1:37 p.m.5 views

CVE-2026-35095

KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session...

4.8CVSS5.7AI score0.00145EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/29 6:50 p.m.28 views

CVE-2026-53427 Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown. When syntax highlighting and full info-string forwarding render: fullinfostring: true are enabled, t...

2.3CVSS0.00405EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/29 5:44 p.m.5 views

CVE-2026-46625

A flaw was found in JavaScript Cookie js-cookie. This vulnerability allows a remote attacker to manipulate cookie attributes by exploiting a prototype pollution issue within the assign helper function. When processing specially crafted JSON input, the flaw enables an attacker to hijack the...

7.5CVSS5.8AI score0.00422EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/29 5:23 p.m.9 views

EUVD-2026-40143

Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth...

6.1CVSS5.9AI score0.00168EPSS
Exploits0References2
CVE
CVE
added 2026/06/29 5:23 p.m.19 views

CVE-2026-57958

Summary: Mixpost

6.1CVSS5.9AI score0.00168EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-485 PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions

Summary praisonai browser start exposes the browser bridge on 0.0.0.0 by default, and its /ws endpoint accepts websocket clients that omit the Origin header entirely. An unauthenticated network client can connect as a fake controller, send startsession, cause the server to forward startautomation...

9.1CVSS6.1AI score0.00356EPSS
Exploits1References6
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-467 PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions

Summary praisonai browser start exposes the browser bridge on 0.0.0.0 by default, and its /ws endpoint accepts websocket clients that omit the Origin header entirely. An unauthenticated network client can connect as a fake controller, send startsession, cause the server to forward startautomation...

9.1CVSS6.1AI score0.00356EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.8 views

PT-2026-52611

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.10 Description An authenticated user can change their account password through the account settings Security section without providing the current password or any additional verification. This occurs because the...

8.7CVSS5.8AI score0.00327EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/06/24 8:56 p.m.18 views

CVE-2026-45688 Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML User Session Hijack

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOneid: ... query...

9.1CVSS0.00289EPSS
Exploits0References1
Rows per page
Query Builder