Export limit exceeded: 352216 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46106 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-27924 | 1 Nintex | 1 Automation | 2026-01-30 | 5.4 Medium |
| Nintex Automation 5.6 and 5.7 before 5.8 has a stored XSS issue associated with the "Navigate to a URL" action. | ||||
| CVE-2024-24506 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function. | ||||
| CVE-2023-33940 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | 4.8 Medium |
| Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL. | ||||
| CVE-2023-33939 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | 5.4 Medium |
| Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. | ||||
| CVE-2023-33944 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | 4.8 Medium |
| Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field. | ||||
| CVE-2023-33943 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | 5.4 Medium |
| Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field. | ||||
| CVE-2025-13505 | 1 Datateam | 1 Datactive | 2026-01-30 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Datateam Information Technologies Inc. Datactive allows Stored XSS.This issue affects Datactive: from 2.13.34 before 2.14.0.6. | ||||
| CVE-2024-6243 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | 4.8 Medium |
| The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled. | ||||
| CVE-2025-67263 | 1 Abacre | 1 Retail Point Of Sale | 2026-01-30 | 6.1 Medium |
| Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database. | ||||
| CVE-2021-47768 | 2 Cleidigh, Thundernest | 2 Importexporttools Ng, Importexporttools Ng | 2026-01-30 | 6.1 Medium |
| ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials. | ||||
| CVE-2025-67025 | 1 Anycomment | 2 Anycomment, Anycomment.io | 2026-01-30 | 6.1 Medium |
| Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section | ||||
| CVE-2025-40700 | 2 Idi Eikon, Idieikon | 2 Governalia, Governalia | 2026-01-30 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) in IDI Eikon's Governalia. The vulnerability allows an attacker to execute JavaScript code in the victim's browser when a malicious URL with the 'q' parameter in '/search' is sent to them. This vulnerability can be exploited to steal sensitive information such as session cookies or to perform actions on behalf of the victim. | ||||
| CVE-2025-63083 | 1 Joomla | 3 Joomla, Joomla!, Joomla\! | 2026-01-30 | 6.1 Medium |
| Lack of output escaping leads to a XSS vector in the pagebreak plugin. | ||||
| CVE-2025-63082 | 1 Joomla | 3 Joomla, Joomla!, Joomla\! | 2026-01-30 | 6.1 Medium |
| Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. | ||||
| CVE-2025-59057 | 1 Shopify | 2 React-router, Remix-run\/react | 2026-01-30 | 7.6 High |
| React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. | ||||
| CVE-2025-70458 | 2 Remyandrade, Sourcecodester | 2 Domain Availability Checker, Domain-availability-checker | 2026-01-30 | 5.4 Medium |
| A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results. | ||||
| CVE-2025-13744 | 1 Github | 1 Enterprise Server | 2026-01-30 | 5.4 Medium |
| An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2022-48177 | 1 X2engine | 1 X2crm | 2026-01-30 | 5.4 Medium |
| X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the adin/importModels Import Records Model field (model parameter). This vulnerability allows attackers to create malicious JavaScript that will be executed by the victim user's browser. | ||||
| CVE-2022-48178 | 1 X2engine | 1 X2crm | 2026-01-30 | 5.4 Medium |
| X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI. | ||||
| CVE-2025-65098 | 1 Typebot | 1 Typebot | 2026-01-30 | 7.4 High |
| Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. | ||||