Lucene search
K

4569 matches found

Cvelist
Cvelist
added yesterday10 views

CVE-2026-58657 Grav - Stored CSS Injection via Markdown Image resize() Action

Grav before 2.0.0 affected through 2.0.0-rc.9 and the 2.0 branch contains a stored CSS injection vulnerability in the Markdown image resize media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute fallbacks, but the resize action in Excerpts::processMediaActions...

4.8CVSS
Exploits0References4
EUVD
EUVD
added yesterday4 views

EUVD-2026-42231

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.2CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added yesterday4 views

EUVD-2026-42225

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Webbeyaz Web Design Mediküm Web allows Stored XSS. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported...

5.4CVSS5.9AI score
Exploits0References1
EUVD
EUVD
added yesterday8 views

EUVD-2026-42222

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Limatek System Inc. LimRAD NAC allows Stored XSS. This issue affects LimRAD NAC: through 08072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way...

4.8CVSS5.9AI score
Exploits0References1
Nuclei
Nuclei
added yesterday8 views

VvvebJs <= 2.0.5 - Cross-Site Scripting

Givanz Vvvebjs = 2.0.5 contains a stored XSS caused by manipulation of the "uploadAllowExtensions" argument in upload.php File Upload Endpoint, letting remote attackers execute scripts, exploit requires crafted input. id: CVE-2026-5615 info: name: VvvebJs = 2.0.5 - Cross-Site Scripting author:...

5.3CVSS5.9AI score0.00773EPSS
Exploits1References2
Nuclei
Nuclei
added 2 days ago22 views

LiteSpeed Cache <= 6.5.0.2 - Stored XSS

LiteSpeed Technologies LiteSpeed Cache versions up to 6.5.0.2 contain a stored cross-site scripting caused by improper input neutralization during web page generation, letting attackers execute malicious scripts in victim browsers, exploit requires storing malicious input. id: CVE-2024-47374 info...

7.1CVSS6AI score0.0141EPSS
Exploits0References2
NVD
NVD
added 3 days ago5 views

CVE-2026-50133

Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html" had their body emitted verbatim...

6.1CVSS0.00187EPSS
Exploits0References3
Patchstack
Patchstack
added 3 days ago10 views

WordPress Comments – wpDiscuz plugin <= 7.6.56 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by mickeyjoe in WordPress Plugin wpDiscuz versions = 7.6.56...

7.2CVSS5.9AI score0.00305EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 3 days ago7 views

WordPress NEX-Forms – Ultimate Forms Plugin for WordPress plugin <= 9.2.2 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Taichi Kashimura in WordPress Plugin NEX-Forms versions = 9.2.2...

7.2CVSS5.9AI score0.00304EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added last week15 views

EUVD-2026-33280

Mautic has Stored Cross-Site Scripting XSS in Project Option Selector...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added last week10 views

CVE-2026-9834

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the wpdbexcludetable parameter. This is due to the direct concatenation of user-supplied $POST'wpdbexcludetable' valu...

7.2CVSS6.3AI score0.01588EPSS
Exploits0References9
CVE
CVE
added last week14 views

CVE-2026-9834

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin (WordPress) is vulnerable to OS Command Injection in all versions up to 7.11 via the wp_db_exclude_table parameter. The root cause is direct concatenation of user-supplied $_POST['wp_db_exclude_table'] values into ...

7.2CVSS6.3AI score0.01588EPSS
Exploits0References8
NVD
NVD
added 2026/06/30 6:16 a.m.11 views

CVE-2026-12560

The Editorial Rating – Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

4.4CVSS0.0024EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.14 views

PT-2026-53811

Name of the Vulnerable Software and Affected Versions Editorial Rating – Product Review & Rating System versions prior to 4.0.6 Description Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level access and above to perform Stored Cross-Site...

4.4CVSS6.1AI score0.0024EPSS
Exploits0References15
CVE
CVE
added 2026/06/27 6:50 a.m.15 views

CVE-2026-11783

The CVE concerns the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution for WordPress. A Stored XSS flaw exists in all versions up to 5.0.4 due to insufficient input sanitization and output escaping of the Product SKU, enabling an authenticated attacker with custom-level access or hig...

6.4CVSS5.8AI score0.0022EPSS
Exploits0References8
NVD
NVD
added 2026/06/27 2:16 a.m.11 views

CVE-2026-11356

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menutitle' and 'menumagnifiercolor' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for...

4.4CVSS0.00251EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/06/24 3:8 p.m.35 views

CVE-2026-50710 Frappe Framework 17.0.0-dev - Stored XSS via eval in Number Card filters_config

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component...

4.6CVSS0.00256EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 2:17 p.m.14 views

CVE-2026-50698

CVE-2026-50698 describes a Stored XSS in Frappe Framework 17.0.0-dev, arising from improper neutralization of user-controlled input in the Audit Trail template rendering. The description indicates the vulnerability is a content injection flaw that could affect HTML output. No exploitation details...

4.6CVSS5.8AI score0.00256EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.34 views

CVE-2026-56358 n8n - Stored Cross-Site Scripting in Form Trigger Node

n8n before 1.123.25 1.x and before 2.11.2 2.x, with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can injec...

5.4CVSS0.00144EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/22 9:26 a.m.10 views

EUVD-2026-38222

EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load...

5.4CVSS6AI score0.00168EPSS
Exploits0References2
Rows per page
Query Builder