Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-37920 | 1 Reputeinfosystems | 1 Arforms Form Builder | 2026-01-23 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Repute InfoSystems ARForms Form Builder allows Reflected XSS.This issue affects ARForms Form Builder: from n/a through 1.6.7.
|
|||||
| CVE-2024-38712 | 1 Qodeinteractive | 1 Qi Blocks | 2026-01-23 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Qode Interactive Qi Blocks allows Stored XSS.This issue affects Qi Blocks: from n/a through 1.3.
|
|||||
| CVE-2025-59978 | 1 Juniper | 1 Junos Space | 2026-01-23 | N/A | 9.0 CRITICAL |
|
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to store script tags directly in web pages that, when viewed by another user, enable the attacker to execute commands with the target's administrative permissions.
This issue affects all versions of Junos Space before 24.1R4.
|
|||||
| CVE-2025-59981 | 1 Juniper | 1 Junos Space | 2026-01-23 | N/A | 6.1 MEDIUM |
|
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Device Template Definition page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4.
|
|||||
| CVE-2025-59982 | 1 Juniper | 1 Junos Space | 2026-01-23 | N/A | 6.1 MEDIUM |
|
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the dashboard search field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4.
|
|||||
| CVE-2025-67823 | 1 Mitel | 2 Cx, Micontact Center Business | 2026-01-23 | N/A | 8.2 HIGH |
|
A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim's browser or desktop client application.
|
|||||
| CVE-2024-43161 | 1 Averta | 1 Depicter Slider | 2026-01-23 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Averta Depicter Slider allows Stored XSS.This issue affects Depicter Slider: from n/a through 3.1.2.
|
|||||
| CVE-2024-47381 | 1 Averta | 1 Depicter Slider | 2026-01-23 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Averta Depicter Slider allows Stored XSS.This issue affects Depicter Slider: from n/a through 3.2.2.
|
|||||
| CVE-2026-1008 | 1 Altium | 1 Altium Live | 2026-01-23 | N/A | 7.6 HIGH |
|
A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques.
The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticat ...
Show More |
|||||
| CVE-2020-25761 | 1 Projectworlds | 1 Visitor Management System | 2026-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc.
|
|||||
| CVE-2026-1009 | 1 Altium | 1 Altium Live | 2026-01-23 | N/A | 9.0 CRITICAL |
|
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post.
Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and wor ...
Show More |
|||||
| CVE-2026-1010 | 1 Altium | 1 On-prem Enterprise Server | 2026-01-23 | N/A | 8.0 HIGH |
|
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.
When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrat ...
Show More |
|||||
| CVE-2017-18536 | 1 Fullworksplugins | 1 Stop User Enumeration | 2026-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS.
|
|||||
| CVE-2025-15265 | 1 Svelte | 1 Svelte | 2026-01-23 | N/A | 6.1 MEDIUM |
|
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.
This issue affects Svelte: from 5.46.0 before 5.46.3.
|
|||||
| CVE-2025-65349 | 1 Eachitaly | 2 Wireless Mini Router Wireless-n 300m, Wireless Mini Router Wireless-n 300m Firmware | 2026-01-23 | N/A | 5.4 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts via a crafted payload due to unsanitized repeater AP SSID value when is displayed in any page at /index.htm.
|
|||||
| CVE-2025-25063 | 1 Backdropcms | 1 Backdrop Cms | 2026-01-23 | N/A | 4.4 MEDIUM |
|
An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG ...
Show More |
|||||
| CVE-2025-25062 | 1 Backdropcms | 1 Backdrop Cms | 2026-01-23 | N/A | 4.4 MEDIUM |
|
An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and ...
Show More |
|||||
| CVE-2026-22919 | 1 Sick | 2 Tdc-x401gl, Tdc-x401gl Firmware | 2026-01-23 | N/A | 3.8 LOW |
|
An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data.
|
|||||
| CVE-2024-50376 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 7.3 HIGH |
|
A CWE-79 "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited remotely leveraging a rogue Wi-Fi access point with a malicious SSID.
|
|||||
| CVE-2026-23769 | 1 Naver | 1 Lucy-xss-filter | 2026-01-23 | N/A | 6.1 MEDIUM |
|
lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.
|
|||||
| CVE-2026-22913 | 1 Sick | 2 Tdc-x401gl, Tdc-x401gl Firmware | 2026-01-23 | N/A | 4.3 MEDIUM |
|
Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data.
|
|||||
| CVE-2025-63644 | 1 Ph7builder | 1 Ph7 Social Dating Builder | 2026-01-23 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field.
|
|||||
| CVE-2025-14556 | 1 Flag Module Project | 1 Flag | 2026-01-23 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.
|
|||||
| CVE-2025-14557 | 1 Facebook Pixel Project | 1 Facebook Pixel | 2026-01-23 | N/A | 4.8 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1.
|
|||||
| CVE-2021-24713 | 1 Cminds | 2 Video Lessons Manager, Video Lessons Manager Pro | 2026-01-23 | 3.5 LOW | 4.8 MEDIUM |
|
The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks
|
|||||
| CVE-2023-31228 | 1 Cminds | 1 Cm Search And Replace | 2026-01-23 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions.
|
|||||
| CVE-2023-53890 | 1 Grabaperch | 1 Perch | 2026-01-23 | N/A | 5.4 MEDIUM |
|
Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session information or performing client-side attacks.
|
|||||
| CVE-2024-24115 | 1 Cotonti | 1 Cotonti Siena | 2026-01-23 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2025-57883 | 1 Groupsession | 1 Groupsession | 2026-01-23 | N/A | 6.1 MEDIUM |
|
Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user.
|
|||||
| CVE-2025-58025 | 1 Averta | 1 Master Slider | 2026-01-23 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider allows Stored XSS. This issue affects Master Slider: from n/a through 3.11.0.
|
|||||
| CVE-2025-58234 | 1 Joomsky | 1 Js Job Manager | 2026-01-23 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JoomSky JS Job Manager allows Stored XSS. This issue affects JS Job Manager: from n/a through 2.0.2.
|
|||||
| CVE-2025-64217 | 1 Themegoods | 1 Photography | 2026-01-22 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Photography photography allows Reflected XSS.This issue affects Photography: from n/a through <= 7.7.2.
|
|||||
| CVE-2025-66939 | 1 Altumcode | 1 66biolinks | 2026-01-22 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file
|
|||||
| CVE-2025-67922 | 1 Themegoods | 1 Grand Restaurant | 2026-01-22 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9.
|
|||||
| CVE-2025-47777 | 1 5ire | 1 5ire | 2026-01-22 | N/A | 9.6 CRITICAL |
|
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are aff ...
Show More |
|||||
| CVE-2021-47750 | 1 Youphptube | 1 Youphptube | 2026-01-22 | N/A | 6.1 MEDIUM |
|
YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page.
|
|||||
| CVE-2025-58357 | 1 5ire | 1 5ire | 2026-01-22 | N/A | 9.6 CRITICAL |
|
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Version 0.13.2 contains a vulnerability in the chat page's script gadgets that enables content injection attacks through multiple vectors: malicious prompt injection pages, compromised MCP servers, and exploited tool integrations. This is fixed in version 0.14.0.
|
|||||
| CVE-2025-62969 | 1 Xlplugins | 1 Nextmove | 2026-01-22 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Stored XSS.This issue affects NextMove Lite: from n/a through <= 2.21.0.
|
|||||
| CVE-2024-32702 | 1 Reputeinfosystems | 1 Arforms | 2026-01-22 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Repute info systems ARForms allows Reflected XSS.This issue affects ARForms: from n/a through 6.4.
|
|||||
| CVE-2025-10180 | 2026-01-22 | N/A | 6.4 MEDIUM | ||
|
The Markdown Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'markdown' shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||