Export limit exceeded: 42592 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (42592 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-21663 | 2 Aquaplatform, Revive | 2 Revive Adserver, Adserver | 2026-02-03 | N/A |
| HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | ||||
| CVE-2026-21664 | 2 Aquaplatform, Revive | 2 Revive Adserver, Adserver | 2026-02-03 | N/A |
| HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | ||||
| CVE-2023-54341 | 2 Jokkedk, Webgrind Project | 2 Webgrind, Webgrind | 2026-02-03 | 6.1 Medium |
| Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs. | ||||
| CVE-2024-56156 | 1 Halo | 1 Halo | 2026-02-03 | 9.0 Critical |
| Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13. | ||||
| CVE-2025-59902 | 1 Nice | 1 Nice Chat | 2026-02-03 | N/A |
| HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft. | ||||
| CVE-2025-14554 | 1 Wordpress | 1 Wordpress | 2026-02-03 | 7.2 High |
| The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5. | ||||
| CVE-2022-50797 | 2 Halfdata, Wordpress | 2 Stripe Green Downloads, Wordpress | 2026-02-03 | 6.4 Medium |
| Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. Attackers can exploit input parameters to execute arbitrary scripts, potentially leading to session hijacking and application module manipulation. | ||||
| CVE-2022-50951 | 1 Smarterdroid | 1 Wifi File Transfer | 2026-02-03 | 6.4 Medium |
| WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the web server's input validation weakness to execute arbitrary JavaScript when users preview infected file paths, potentially compromising user browser sessions. | ||||
| CVE-2022-50952 | 1 Banco De Guayaquil | 1 Banco Guayaquil | 2026-02-03 | 6.4 Medium |
| Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST request that executes on application review without user interaction. | ||||
| CVE-2023-54343 | 1 Qwe Labs | 1 Qwe Dl | 2026-02-03 | 6.4 Medium |
| QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can exploit the vulnerability to execute persistent cross-site scripting attacks, potentially leading to session hijacking and application module manipulation. | ||||
| CVE-2021-47920 | 1 Webmo | 1 Job Manager | 2026-02-03 | 5.4 Medium |
| WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. Attackers can exploit the filterSearch and filterSearchType parameters to perform non-persistent attacks including session hijacking and external redirects. | ||||
| CVE-2021-47856 | 1 Netart Media | 1 Easy Cart Shopping Cart | 2026-02-03 | 6.4 Medium |
| Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content. | ||||
| CVE-2021-47885 | 2 Authorize.net, Criticalgears | 3 Payment Terminal, Paypal Pro Payment Terminal, Stripe Payment Terminal | 2026-02-03 | 6.4 Medium |
| Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or phishing attacks. | ||||
| CVE-2021-47908 | 1 Thewebfosters | 1 Ultimate Pos | 2026-02-03 | 6.4 Medium |
| Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions. | ||||
| CVE-2025-13983 | 2 Drupal, Factorial | 2 Tagify, Tagify | 2026-02-03 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44. | ||||
| CVE-2026-21855 | 1 Tarkov | 1 Tarkov Data Manager | 2026-02-03 | 9.3 Critical |
| The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. | ||||
| CVE-2025-71177 | 1 Lavalite | 2 Lavalite, Lavalite Cms | 2026-02-03 | 5.4 Medium |
| LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. | ||||
| CVE-2026-23839 | 1 Leepeuker | 1 Movary | 2026-02-03 | 9.3 Critical |
| Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue. | ||||
| CVE-2026-23840 | 1 Leepeuker | 1 Movary | 2026-02-03 | 9.3 Critical |
| Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue. | ||||
| CVE-2026-23625 | 1 Openproject | 1 Openproject | 2026-02-02 | 8.7 High |
| OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server. | ||||