Export limit exceeded: 349417 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 349417 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45790 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-27162 | 1 Toshibatec | 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more | 2026-04-15 | 6.1 Medium |
| Toshiba printers provide a web interface that will load the JavaScript file. The file contains insecure codes vulnerable to XSS and is loaded inside all the webpages provided by the printer. An attacker can steal the cookie of an admin user. As for the affected products/models/versions, see the reference URL. | ||||
| CVE-2023-53735 | 1 Webigniter | 1 Webigniter | 2026-04-15 | N/A |
| WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in the user creation process that allows unauthenticated attackers to execute malicious JavaScript code, enabling potential XSS attacks. | ||||
| CVE-2024-9873 | 2026-04-15 | 5.4 Medium | ||
| The Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in posts, comments, and profiles when Markdown support is enabled in all versions up to, and including, 6.4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-1420 | 2026-04-15 | N/A | ||
| Input provided in a field containing "activationMessage" in Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2024-27489 | 1 Weimengcms | 1 Wmcms | 2026-04-15 | 7.5 High |
| An issue in the DelFile() function of WMCMS v4.4 allows attackers to delete arbitrary files via a crafted POST request. | ||||
| CVE-2025-1419 | 2026-04-15 | N/A | ||
| Input provided in comment section of Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2025-11937 | 1 Mediawiki | 1 Mediawiki | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - SecurePoll Extension allows Stored XSS.This issue affects Mediawiki - SecurePoll Extension: master. | ||||
| CVE-2024-9938 | 2026-04-15 | 6.1 Medium | ||
| The Bounce Handler MailPoet 3 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.3.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-36496 | 1 Faronics | 1 Winselect | 2026-04-15 | 7.5 High |
| The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters. | ||||
| CVE-2023-28120 | 1 Redhat | 1 Logging | 2026-04-15 | 5.3 Medium |
| There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. | ||||
| CVE-2024-11683 | 2026-04-15 | 6.1 Medium | ||
| The Newsletter Subscriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'token_type' parameter in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-55054 | 2026-04-15 | 6.1 Medium | ||
| CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | ||||
| CVE-2024-33007 | 1 Sap Se | 1 Sapui5 | 2026-04-15 | 3.5 Low |
| PDFViewer is a control delivered as part of SAPUI5 product which shows the PDF content in an embedded mode by default. If a PDF document contains embedded JavaScript (or any harmful client-side script), the PDFViewer will execute the JavaScript embedded in the PDF which can cause a potential security threat. | ||||
| CVE-2024-37620 | 2026-04-15 | 6.1 Medium | ||
| PHPVOD v4.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the id parameter at /view/admin/view.php. | ||||
| CVE-2024-32988 | 2026-04-15 | 7.5 High | ||
| 'OfferBox' App for Android versions 2.0.0 to 2.3.17 and 'OfferBox' App for iOS versions 2.1.7 to 2.6.14 use a hard-coded secret key for JWT. Secret key for JWT may be retrieved if the application binary is reverse-engineered. | ||||
| CVE-2023-6198 | 2026-04-15 | 9.3 Critical | ||
| Use of Hard-coded Credentials vulnerability in Baicells Snap Router BaiCE_BMI on EP3011 (User Passwords modules) allows unauthorized access to the device. | ||||
| CVE-2024-12221 | 2026-04-15 | 6.1 Medium | ||
| The Turnkey bbPress by WeaverTheme plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘_wpnonce’ parameter in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-13597 | 2026-04-15 | N/A | ||
| Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form sent to login panel at /softcom/ with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0 | ||||
| CVE-2024-37828 | 1 Vermeg | 1 Agile Reporter | 2026-04-15 | 4.8 Medium |
| A stored cross-site scripting (XSS) in Vermeg Agile Reporter v23.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Message field under the Set Broadcast Message module. | ||||
| CVE-2024-4174 | 2026-04-15 | 5.4 Medium | ||
| Cross-Site Scripting (XSS) vulnerability in Hyperion Web Server affecting version 2.0.15. This vulnerability could allow an attacker to execute malicious Javascript code on the client by injecting that code into the URL. | ||||