Export limit exceeded: 329779 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (43087 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-41347 | 1 Jpatokal | 1 Openflights | 2026-01-26 | 6.1 Medium |
| openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/settings.php | ||||
| CVE-2024-41346 | 1 Jpatokal | 1 Openflights | 2026-01-26 | 6.1 Medium |
| openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/submit.php | ||||
| CVE-2025-8460 | 1 Centreon | 2 Centreon, Open Tickets | 2026-01-26 | 6.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | ||||
| CVE-2024-54123 | 1 Backdropcms | 1 Backdrop | 2026-01-26 | 6.1 Medium |
| Backdrop CMS before 1.28.4 and 1.29.x before 1.29.2 allows XSS via an SVG document, if the SVG tag is allowed for a text format. | ||||
| CVE-2025-12836 | 2 Vektor, Wordpress | 2 Vk Google Job Posting Manager, Wordpress | 2026-01-26 | 6.4 Medium |
| The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1095 | 2 Cantothemes, Wordpress | 2 Canto Testimonials, Wordpress | 2026-01-26 | 6.4 Medium |
| The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1084 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.4 Medium |
| The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-14941 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 6.4 Medium |
| The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0862 | 2 Pdfcrowd, Wordpress | 3 Save As Pdf, Save As Pdf Plugin, Wordpress | 2026-01-26 | 6.1 Medium |
| The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: Successful exploitation of this vulnerability requires that the PDFCrowd API key is blank (also known as "demo mode", which is the default configuration when the plugin is installed) or known. | ||||
| CVE-2025-24752 | 2 Wordpress, Wpdeveloper | 2 Wordpress, Essential Addons For Elementor | 2026-01-26 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor allows Reflected XSS. This issue affects Essential Addons for Elementor: from n/a through 6.0.14. | ||||
| CVE-2024-57277 | 2026-01-26 | 5.7 Medium | ||
| InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting (XSS) via SVG file upload. | ||||
| CVE-2024-41345 | 1 Jpatokal | 1 Openflights | 2026-01-26 | 6.1 Medium |
| openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/trip.php | ||||
| CVE-2026-23528 | 1 Dask | 1 Distributed | 2026-01-26 | N/A |
| Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. | ||||
| CVE-2021-47835 | 1 Freeter | 1 Freeter | 2026-01-26 | 7.2 High |
| Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution. | ||||
| CVE-2021-47841 | 1 Gurayyarar | 1 Snipcommand | 2026-01-26 | 6.1 Medium |
| SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs. | ||||
| CVE-2021-47840 | 1 Moeditor | 1 Moeditor | 2026-01-26 | 7.2 High |
| Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim's system. | ||||
| CVE-2021-47842 | 1 Jotron | 1 Studymd | 2026-01-26 | 7.2 High |
| StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | ||||
| CVE-2025-31510 | 1 Lemonldap-ng | 1 Lemonldap::ng | 2026-01-26 | 7.2 High |
| In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. | ||||
| CVE-2021-47838 | 1 Dvcrn | 1 Markright | 2026-01-26 | 7.2 High |
| Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim's system. | ||||
| CVE-2021-47836 | 1 Jersou | 1 Markdown Explorer | 2026-01-26 | 6.1 Medium |
| Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access. | ||||