Export limit exceeded: 352249 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46110 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-25761 | 1 Projectworlds | 1 Visitor Management System | 2026-01-23 | 6.1 Medium |
| Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc. | ||||
| CVE-2017-18536 | 1 Fullworksplugins | 1 Stop User Enumeration | 2026-01-23 | N/A |
| The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS. | ||||
| CVE-2025-15265 | 1 Svelte | 1 Svelte | 2026-01-23 | 6.1 Medium |
| An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3. | ||||
| CVE-2025-65349 | 2 Each Italy, Eachitaly | 3 Wireless N 300m, Wireless Mini Router Wireless-n 300m, Wireless Mini Router Wireless-n 300m Firmware | 2026-01-23 | 5.4 Medium |
| A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts via a crafted payload due to unsanitized repeater AP SSID value when is displayed in any page at /index.htm. | ||||
| CVE-2025-25063 | 1 Backdropcms | 2 Backdrop, Backdrop Cms | 2026-01-23 | 4.4 Medium |
| An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting. | ||||
| CVE-2025-25062 | 1 Backdropcms | 1 Backdrop Cms | 2026-01-23 | 4.4 Medium |
| An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module. | ||||
| CVE-2024-50376 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | 7.3 High |
| A CWE-79 "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited remotely leveraging a rogue Wi-Fi access point with a malicious SSID. | ||||
| CVE-2024-50377 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | 6.5 Medium |
| A CWE-798 "Use of Hard-coded Credentials" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability is associated to the backup configuration functionality that by default encrypts the archives using a static password. | ||||
| CVE-2025-63644 | 2 Ph7builder, Ph7software | 2 Ph7 Social Dating Builder, Ph7-social-dating-cms | 2026-01-23 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field. | ||||
| CVE-2025-14556 | 2 Drupal, Flag Module Project | 2 Flag, Flag | 2026-01-23 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. | ||||
| CVE-2025-14557 | 2 Drupal, Facebook Pixel Project | 2 Facebook Pixel, Facebook Pixel | 2026-01-23 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. | ||||
| CVE-2021-24713 | 1 Cminds | 2 Video Lessons Manager, Video Lessons Manager Pro | 2026-01-23 | 4.8 Medium |
| The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks | ||||
| CVE-2023-31228 | 1 Cminds | 1 Cm Search And Replace | 2026-01-23 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions. | ||||
| CVE-2024-24115 | 1 Cotonti | 1 Cotonti Siena | 2026-01-23 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2025-57883 | 1 Groupsession | 3 Groupsession, Groupsession Bycloud, Groupsession Zion | 2026-01-23 | N/A |
| Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user. | ||||
| CVE-2025-66939 | 1 Altumcode | 1 66biolinks | 2026-01-22 | 5.4 Medium |
| Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file | ||||
| CVE-2025-47777 | 1 5ire | 1 5ire | 2026-01-22 | 9.7 Critical |
| 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue. | ||||
| CVE-2025-58357 | 2 5ire, 5ire Project | 2 5ire, 5ire | 2026-01-22 | 9.7 Critical |
| 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Version 0.13.2 contains a vulnerability in the chat page's script gadgets that enables content injection attacks through multiple vectors: malicious prompt injection pages, compromised MCP servers, and exploited tool integrations. This is fixed in version 0.14.0. | ||||
| CVE-2025-5591 | 1 Kentico | 1 Xperience | 2026-01-22 | 5.4 Medium |
| Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. | ||||
| CVE-2025-70890 | 1 Phpgurukul | 2 Cyber Cafe Management System, Cybercafe Management System | 2026-01-22 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Cyber Cafe Management System v1.0. An authenticated attacker can inject arbitrary JavaScript code into the username parameter via the add-users.php endpoint. The injected payload is stored and executed in the victim s browser when the affected page is accessed. | ||||