Export limit exceeded: 348761 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45735 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27963 | 2 Advplyr, Audiobookshelf | 2 Audiobookshelf, Audiobookshelf | 2026-04-17 | 4.8 Medium |
| Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers, potentially leading to session hijacking and data exfiltration. Version 2.32.0 contains a patch for the issue. | ||||
| CVE-2026-27974 | 2 Advplyr, Audiobookshelf | 2 Audiobookshelf, Audiobookshelf Mobile App | 2026-04-17 | 4.8 Medium |
| Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue. | ||||
| CVE-2026-1696 | 2 Arcinfo, Arcinformatique | 2 Pcvue, Pcvue | 2026-04-17 | 6.1 Medium |
| Some HTTP security headers are not properly set by the web server when sending responses to the client application. | ||||
| CVE-2026-2680 | 2 A3factura, Wolterskluwer | 2 A3factura, A3factura | 2026-04-17 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerVATNumber', in 'a3factura-app.wolterskluwer.es/#/incomes/salesDeliveryNotes' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser. | ||||
| CVE-2026-27154 | 1 Discourse | 1 Discourse | 2026-04-17 | 6.1 Medium |
| Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a malicious user would trigger an XSS. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available. | ||||
| CVE-2026-1434 | 2 Politechnika Warszawska, Pw | 2 Omega-psir, Omega-psir | 2026-04-17 | 6.1 Medium |
| Omega-PSIR is vulnerable to Reflected XSS via the lang parameter. An attacker can craft a malicious URL that, when opened, causes arbitrary JavaScript to execute in the victim’s browser. This issue was fixed in 4.6.7. | ||||
| CVE-2026-24350 | 1 Pluxml | 1 Pluxml | 2026-04-17 | 5.4 Medium |
| PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In version 5.9.0-rc7 clicking the link associated with the uploaded image doesn't execute malicious code but directly accessing the file will still execute the embedded payload. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2026-24351 | 1 Pluxml | 1 Pluxml | 2026-04-17 | 5.4 Medium |
| PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2026-27756 | 3 Shenzhen Hongyavision Technology Co, Sodola-network, Sodolanetworks | 4 Sodola Sl902-swtgw124as, Sl902-swtgw124as, Sl902-swtgw124as Firmware and 1 more | 2026-04-17 | 6.1 Medium |
| SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a reflected cross-site scripting vulnerability in the management interface where user input is not properly encoded before output. Attackers can craft malicious URLs that execute arbitrary JavaScript in the web interface when visited by authenticated users. | ||||
| CVE-2026-28338 | 2 Pmd, Pmd Project | 2 Pmd, Pmd | 2026-04-17 | 6.8 Medium |
| PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue. | ||||
| CVE-2026-28558 | 2 Gvectors, Wordpress | 2 Wpforo Forum, Wordpress | 2026-04-17 | 6.4 Medium |
| wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page. | ||||
| CVE-2026-28561 | 2 Gvectors, Wordpress | 2 Wpforo Forum, Wordpress | 2026-04-17 | 5.5 Medium |
| wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing. | ||||
| CVE-2026-3402 | 1 Phpgurukul | 2 Student Record Management System, Student Record System | 2026-04-17 | 2.4 Low |
| A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. Such manipulation of the argument Course Short Name leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-28397 | 1 Nocodb | 1 Nocodb | 2026-04-17 | 5.4 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-3455 | 1 Nodemailer | 1 Mailparser | 2026-04-17 | 6.1 Medium |
| Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code. | ||||
| CVE-2026-24415 | 1 Devcode | 1 Openstamanager | 2026-04-17 | 6.1 Medium |
| OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript. | ||||
| CVE-2026-26272 | 1 Sysadminsmedia | 1 Homebox | 2026-04-17 | 4.6 Medium |
| HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1. | ||||
| CVE-2026-3242 | 1 Concretecms | 1 Concrete Cms | 2026-04-17 | 4.8 Medium |
| In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting. | ||||
| CVE-2026-3240 | 1 Concretecms | 1 Concrete Cms | 2026-04-17 | 4.8 Medium |
| In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting. | ||||
| CVE-2026-28776 | 2 Datacast, International Datacasting Corporation (idc) | 3 Sfx2100, Sfx2100 Firmware, Idc Sfx2100 Superflex Satellite Receiver | 2026-04-17 | 9.8 Critical |
| International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver contains hardcoded credentials for the `monitor` account. A remote unauthenticated attacker can use these trivial, undocumented credentials to access the system via SSH. While initially dropped into a restricted shell, the attacker can trivially break out to achieve standard shell functionality. | ||||