Lucene search
K

91061 matches found

Cvelist
Cvelist
added 1 hour ago3 views

CVE-2026-54011 Open WebUI: Stored XSS in Mermaid Markdown Preview

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with...

8.7CVSS0.00037EPSS
Exploits0References1
Cvelist
Cvelist
added 2 hours ago2 views

CVE-2026-44956

Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table. An admin user viewing the email content through userlog-details.php would have any malicious...

Exploits1References1
CVE
CVE
added 2 hours ago12 views

CVE-2026-44956

Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table. An admin user viewing the email content through userlog-details.php would have any malicious...

5.8AI score
Exploits1References1
CVE
CVE
added 2 hours ago9 views

CVE-2026-54302

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the...

7CVSS6AI score0.00038EPSS
Exploits0References1
Cvelist
Cvelist
added 2 hours ago2 views

CVE-2026-54302 n8n: Stored XSS in Chat Trigger Node

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the...

7CVSS0.00038EPSS
Exploits0References1
NVD
NVD
added 4 hours ago8 views

CVE-2026-56263

Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing t...

6.1CVSS
Exploits0References3
EUVD
EUVD
added 5 hours ago8 views

EUVD-2026-38447

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmauthormessage' parameter in the pmsendmessagetoauthor function in all versions up to, and including, 5.9.9.2 due to insufficient input sanitization and output...

6.4CVSS6AI score
Exploits0References6
NVD
NVD
added 5 hours ago8 views

CVE-2026-4983

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a maliciou...

4.1CVSS
Exploits0References1
EUVD
EUVD
added 7 hours ago6 views

EUVD-2026-38424

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a maliciou...

4.1CVSS5.9AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 10 hours ago4 views

CVE-2026-44169

A flaw was found in MariaDB server. A user who has been granted EXECUTE access to a stored routine through a role can view the definition of that routine. This information disclosure occurs even if the user does not possess the SHOW CREATE ROUTINE privilege, potentially exposing sensitive routine...

4.3CVSS5.7AI score0.00269EPSS
Exploits0References5
Nuclei
Nuclei
added 13 hours ago32 views

WBCE CMS v1.5.4 - Cross Site Scripting (Stored)

A cross-site scripting XSS vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. id: CVE-2022-45038 info: name: WBCE CMS v1.5.4 - Cross Site Scripting Stored author:...

5.4CVSS6.2AI score0.01024EPSS
Exploits1References3
Nuclei
Nuclei
added 13 hours ago18 views

Site Reviews < 7.2.5 - Unauthenticated Stored XSS

Site Reviews WordPress plugin before 7.2.5 contains a stored cross-site scripting caused by improper sanitization and escaping of review fields, letting unauthenticated users execute malicious scripts, exploit requires no authentication. id: CVE-2025-1232 info: name: Site Reviews 7.2.5 -...

8.8CVSS7.2AI score0.01856EPSS
Exploits1References3
Nuclei
Nuclei
added 13 hours ago12 views

Popup4Phone <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting

Popup4Phone WordPress plugin through 1.3.2 contains a reflected cross-site scripting caused by unsanitized parameters, letting unauthenticated users execute scripts in admin browsers, exploit requires sending crafted requests. id: CVE-2024-3231 info: name: Popup4Phone = 1.3.2 - Unauthenticated...

6.1CVSS5.7AI score0.00684EPSS
Exploits2References2
Nuclei
Nuclei
added 13 hours ago6 views

VvvebJs <= 2.0.5 - Cross-Site Scripting

Givanz Vvvebjs = 2.0.5 contains a stored XSS caused by manipulation of the "uploadAllowExtensions" argument in upload.php File Upload Endpoint, letting remote attackers execute scripts, exploit requires crafted input. id: CVE-2026-5615 info: name: VvvebJs = 2.0.5 - Cross-Site Scripting author:...

5.3CVSS5.8AI score0.00773EPSS
Exploits1References2
Nuclei
Nuclei
added 13 hours ago6 views

Payara Server - Cross-Site Scripting

Payara Server versions 4.1.2.191.54, 5.83.0, 6.34.0, and 7.2026.1 contain a stored XSS vulnerability caused by improper input sanitization in the REST Management Interface. This allows attackers to mislead administrators into changing the admin password via a URL payload; however, the exploit...

9.3CVSS5.8AI score0.01002EPSS
Exploits1References3
Nuclei
Nuclei
added 13 hours ago12 views

WordPress OneTone theme <= 3.0.6 – Unauthenticated Stored XSS

includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues. id: CVE-2019-17231 info: name: WordPress OneTone theme = 3.0.6 – Unauthenticated Stored XSS author: daffainfo severity: medium description: | includes/theme-functions.php in the OneTone...

6.1CVSS6.3AI score0.01216EPSS
Exploits1References3
Nuclei
Nuclei
added 13 hours ago23 views

XXL-JOB v2.2.0 — Stored Cross Site Scripting

Multiple cross-site scripting XSS vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via 1 AppName and 2AddressList parameter in JobGroupController.java file. id: CVE-2020-23814 info: name: XXL-JOB v2.2.0 — Stored Cross Site Scripting author:...

6.1CVSS6.4AI score0.01188EPSS
Exploits1References2
Nuclei
Nuclei
added 13 hours ago15 views

Duplicate Page WordPress - Stored Cross-Site Scripting

Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...

4.8CVSS5.7AI score0.0087EPSS
Exploits2References3
Nuclei
Nuclei
added 13 hours ago16 views

Limit Login Attempts - Stored Cross-Site Scripting

Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...

4.8CVSS5.7AI score0.00758EPSS
Exploits2References1
Nuclei
Nuclei
added 13 hours ago8 views

WordPress Redirect After Login <= 0.1.9 - Admin Stored XSS

Marcelotorres Redirect After Login plugin = 0.1.9 contains a stored cross-site scripting caused by insufficient sanitization in the login redirect parameter, letting attackers execute scripts in the context of the affected site, exploit requires admin privileges. id: CVE-2023-27624 info: name:...

5.9CVSS6.5AI score0.00619EPSS
Exploits0References2
Rows per page
Query Builder