CVE-2020-37222

Kuicms Php EE 2.0 is affected by a persistent cross-site scripting (XSS) vulnerability. The issue allows unauthenticated attackers to inject arbitrary scripts by submitting crafted content through the bbs reply endpoint (POST to /web/?c=bbs&a=reply) with HTML/JavaScript payloads in the content pa...

EUVD-2026-29410

The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2022-50957 Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS

Drupal avataruploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avataruploader.pages.inc to...

EUVD-2026-28540

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aalurlstatssaveaction function and a complete absence of output escaping in...

WordPress plugin Age Verification & Identity Verification by Token of Trust 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2026-34598 YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter"

YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected...

CVE-2026-1986

The CVE concerns FloristPress for Woo – Florist plugin for WordPress. A Reflected Cross-Site Scripting vulnerability exists in all versions up to 7.8.2, caused by insufficient input sanitization and output escaping of the user-supplied noresults parameter. This can allow unauthenticated attackers...

WordPress plugin WP-WebAuthn 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-24200

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form...

CVE-2026-0752

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI...

CVE-2026-0752

CVE-2026-0752 concerns GitLab CE/EE where an unauthenticated user could inject arbitrary scripts into the Mermaid sandbox UI under certain circumstances. The issue affected all versions 16.2 up to but not including 18.7.5, all 18.8 releases before 18.8.5, and all 18.9 releases before 18.9.1. GitL...

CVE-2026-2472

Stored Cross-Site Scripting XSS in the genai/evalsvisualization component of Google Cloud Vertex AI SDK google-cloud-aiplatform versions from 1.98.0 up to but not including 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment...

PT-2026-21322

phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter during collection...

CVE-2019-25389 Smoothwall Express 3.1 'timedaccess.cgi' Cross-Site Scripting

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the MACHINES parameter. Attackers can craft requests to the timedaccess.cgi endpoint with script payloads in the...

CVE-2026-1844

The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pyslandingpage' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-1792

The Geo Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL path in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

CVE-2026-1795

The CVE-2026-1795 entry concerns the WordPress plugin Address Bar Ads (≤ 1.0.0). The root cause is insufficient input sanitization and output escaping in the URL Path, enabling a Reflected Cross-Site Scripting (XSS) vulnerability. Affected: Address Bar Ads plugin for WordPress (all versions up to...

EUVD-2026-5549

The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-13893

The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

GESTSUP 跨站脚本漏洞

GESTSUP is a software application from the French company GESTSUP. It is 100% web-based SUPport MANAGEMENT software that manages tickets and devices. A cross-site scripting vulnerability exists in GESTSUP 3.2.56 and prior versions, which stems from a flaw in the API error logging functionality th...