Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27447 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | N/A | 7.4 HIGH |
|
The web application is susceptible to cross-site-scripting attacks. An attacker can create a prepared URL, which injects JavaScript code into the website. The code is executed in the victim’s browser when an authenticated administrator clicks the link.
|
|||||
| CVE-2025-56451 | 1 Seeyon | 1 A8\+ Collaborative Management | 2026-02-05 | N/A | 6.1 MEDIUM |
|
Cross site scripting vulnerability in seeyon Zhiyuan A8+ Collaborative Management Software 7.0 via the topValue parameter to the seeyon/main.do endpoint.
|
|||||
| CVE-2025-66648 | 1 Vega-functions Project | 1 Vega-functions | 2026-02-05 | N/A | 7.2 HIGH |
|
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.
|
|||||
| CVE-2025-59467 | 1 Ui | 1 Argentina Afip Invoices | 2026-02-05 | N/A | 7.5 HIGH |
|
A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page.
This plugin is disabled by default.
Affected Products:
UCRM Argentina AFIP invoices Plugin (Version 1.2.0 and earlier)
Mitigation:
Update UCRM Argentina AFIP invoices Plugin to Version 1.3.0 or later.
|
|||||
| CVE-2026-22704 | 1 Psu | 1 Haxcms-nodejs | 2026-02-05 | N/A | 8.0 HIGH |
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.
|
|||||
| CVE-2020-37148 | 2026-02-05 | N/A | 3.5 LOW | ||
|
P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.
|
|||||
| CVE-2026-25054 | 1 N8n | 1 N8n | 2026-02-05 | N/A | 5.4 MEDIUM |
|
n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session ...
Show More |
|||||
| CVE-2026-25051 | 1 N8n | 1 N8n | 2026-02-05 | N/A | 5.4 MEDIUM |
|
n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when oth ...
Show More |
|||||
| CVE-2026-1134 | 1 Angeljudesuarez | 1 Society Management System | 2026-02-05 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2026-22232 | 1 Opexustech | 1 Ecase Audit | 2026-02-05 | N/A | 5.5 MEDIUM |
|
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.
|
|||||
| CVE-2026-22231 | 1 Opexustech | 1 Ecase Audit | 2026-02-05 | N/A | 5.5 MEDIUM |
|
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.
|
|||||
| CVE-2026-22233 | 1 Opexustech | 1 Ecase Audit | 2026-02-05 | N/A | 5.5 MEDIUM |
|
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.
|
|||||
| CVE-2021-47843 | 1 Pabloandumundu | 1 Tagstoo | 2026-02-05 | N/A | 5.4 MEDIUM |
|
Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer.
|
|||||
| CVE-2025-41024 | 1 Nikhil-bhalerao | 1 Poultry Farm Management System | 2026-02-05 | N/A | 5.4 MEDIUM |
|
Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows:
'companyaddress', 'companyemail', 'companyname', 'country', 'mobilenumber' y 'regno' parameters in '/farm/farmprofile.php'.
|
|||||
| CVE-2025-41025 | 1 Nikhil-bhalerao | 1 Poultry Farm Management System | 2026-02-05 | N/A | 5.4 MEDIUM |
|
Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows:
'category' y 'product' parameters in '/farm/sell_product.php'.
|
|||||
| CVE-2026-24348 | 1 Nimbletech | 2 Ezcast Pro Dongle Ii, Ezcast Pro Dongle Ii Firmware | 2026-02-05 | N/A | 6.1 MEDIUM |
|
Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users.
|
|||||
| CVE-2025-52344 | 1 Explorance | 1 Blue | 2026-02-05 | N/A | 6.1 MEDIUM |
|
Multiple Cross Site Scripting (XSS) vulnerabilities in input fields in Explorance Blue 8.1.2 allows attackers to inject arbitrary JavaScript code on the user's browser via the Group name and Project Description input fields.
|
|||||
| CVE-2025-63420 | 1 Crushftp | 1 Crushftp | 2026-02-05 | N/A | 4.1 MEDIUM |
|
CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.
|
|||||
| CVE-2026-1319 | 2026-02-05 | N/A | 6.4 MEDIUM | ||
|
The Robin Image Optimizer – Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2026-1953 | 2026-02-05 | N/A | N/A | ||
|
Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS pages. An authenticated attacker with low privileges can inject malicious JavaScript payloads through the profile edit request, which are then executed site-wide whenever the affected user's name is di ...
Show More |
|||||
| CVE-2026-1268 | 2026-02-05 | N/A | 6.4 MEDIUM | ||
|
The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2026-0867 | 2026-02-05 | N/A | 6.4 MEDIUM | ||
|
The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NO ...
Show More |
|||||
| CVE-2026-1654 | 2026-02-05 | N/A | 6.1 MEDIUM | ||
|
The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-64174 | 1 Openmage | 1 Magento | 2026-02-04 | N/A | 4.8 MEDIUM |
|
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or ...
Show More |
|||||
| CVE-2025-52662 | 1 Nuxt | 1 Devtools | 2026-02-04 | N/A | 6.9 MEDIUM |
|
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade.
More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools
|
|||||
| CVE-2025-63883 | 1 Bhabishya-123 | 1 E-commerce | 2026-02-04 | N/A | 5.4 MEDIUM |
|
A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 (Bhabishya-123/E-commerce). The site's client-side JavaScript reads attacker-controlled input (for example, values derived from the URL or page fragment) and inserts it into the DOM via unsafe sinks (innerHTML/insertAdjacentHTML/document.write) without proper sanitization or context-aware encoding. An attacker can craft a malicious URL that, when opened by a victim, causes arbitrary JavaScript to execute in the victim's b ...
Show More |
|||||
| CVE-2026-1135 | 1 Angeljudesuarez | 1 Society Management System | 2026-02-04 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A security flaw has been discovered in itsourcecode Society Management System 1.0. This impacts an unknown function of the file /admin/activity.php. The manipulation of the argument Title results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
|
|||||
| CVE-2025-63441 | 1 Opensource-socialnetwork | 1 Open Source Social Network | 2026-02-04 | N/A | 7.3 HIGH |
|
Open Source Social Network (OSSN) 8.6 is vulnerable to Cross Site Scripting (XSS) via the parameter param` at endpoint u/administrator/friends.
|
|||||
| CVE-2026-24784 | 1 Dnnsoftware | 1 Dotnetnuke | 2026-02-04 | N/A | 6.8 MEDIUM |
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
|
|||||
| CVE-2026-24833 | 1 Dnnsoftware | 1 Dotnetnuke | 2026-02-04 | N/A | 7.6 HIGH |
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
|
|||||
| CVE-2026-24836 | 1 Dnnsoftware | 1 Dotnetnuke | 2026-02-04 | N/A | 7.6 HIGH |
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
|
|||||
| CVE-2026-24837 | 1 Dnnsoftware | 1 Dotnetnuke | 2026-02-04 | N/A | 7.6 HIGH |
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
|
|||||
| CVE-2026-24838 | 1 Dnnsoftware | 1 Dotnetnuke | 2026-02-04 | N/A | 9.1 CRITICAL |
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
|
|||||
| CVE-2026-24769 | 1 Nocodb | 1 Nocodb | 2026-02-04 | N/A | 9.0 CRITICAL |
|
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead t ...
Show More |
|||||
| CVE-2025-61431 | 1 Zucchetti | 2 Infinity Zmaintenance, Infinity Zucchetti | 2026-02-04 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripted (XSS) vulnerability in the /jsp/gsfr_feditorHTML.jsp endpoint of Zucchetti ZMaintenance Infinity and Infinity Zucchetti v4.1 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the pHtmlSource parameter. A vendor fix was released on 2025-06-18.
|
|||||
| CVE-2021-34668 | 1 Devowl | 1 Real Media Library | 2026-02-04 | 3.5 LOW | 6.4 MEDIUM |
|
The WordPress Real Media Library WordPress plugin is vulnerable to Stored Cross-Site Scripting via the name parameter in the ~/inc/overrides/lite/rest/Folder.php file which allows author-level attackers to inject arbitrary web scripts in folder names, in versions up to and including 4.14.1.
|
|||||
| CVE-2020-36998 | 2026-02-04 | N/A | 6.4 MEDIUM | ||
|
Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization.
|
|||||
| CVE-2020-37019 | 2026-02-04 | N/A | 6.4 MEDIUM | ||
|
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers.
|
|||||
| CVE-2026-25117 | 2026-02-04 | N/A | N/A | ||
|
pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e5 ...
Show More |
|||||
| CVE-2026-1705 | 2026-02-04 | 3.3 LOW | 2.4 LOW | ||
|
A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.
|
|||||