Export limit exceeded: 45863 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45863 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-51498 | 2026-04-15 | N/A | ||
| cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the `javascript:` protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit `66bac03e`, was mitigated in commit `97977efa` (correctly configured web instances were no longer vulnerable) and fully fixed in commit `c4be1d3a` (included in release version 10.2.1). Users are advised to upgrade. Users unable to upgrade should enable a content-security-policy. | ||||
| CVE-2024-5279 | 2026-04-15 | 3.5 Low | ||
| A vulnerability was found in Qiwen Netdisk up to 1.4.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component File Rename Handler. The manipulation with the input <img src="" onerror="alert(document.cookie)"> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266083. | ||||
| CVE-2024-52283 | 2026-04-15 | 5.7 Medium | ||
| Missing sanitation of inputs allowed arbitrary users to conduct a stored XSS attack that triggers for users that view a certain project | ||||
| CVE-2025-67990 | 2 Realmag777, Wordpress | 2 Gmap Targeting, Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 GMap Targeting gmap-targeting allows Reflected XSS.This issue affects GMap Targeting: from n/a through <= 1.1.7. | ||||
| CVE-2021-47839 | 2 Marky Project, Vesparny | 2 Marky, Marky | 2026-04-15 | 7.2 High |
| Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | ||||
| CVE-2020-37014 | 1 Tryton | 2 Tryton, Trytond | 2026-04-15 | 6.4 Medium |
| Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces. | ||||
| CVE-2020-37135 | 3 Amss++ Project, Amss\+\+ Project, Amssplus | 3 Amss++, Amss\+\+, Amss Plus | 2026-04-15 | 7.5 High |
| AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system. | ||||
| CVE-2025-55062 | 2026-04-15 | 4.8 Medium | ||
| CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | ||||
| CVE-2020-36828 | 2026-04-15 | 3.5 Low | ||
| A vulnerability was found in DiscuzX up to 3.4-20200818. It has been classified as problematic. Affected is the function show_next_step of the file upload/install/include/install_function.php. The manipulation of the argument uchidden leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 3.4-20210119 is able to address this issue. The name of the patch is 4a9673624f46f7609486778ded9653733020c567. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-258612. | ||||
| CVE-2021-47838 | 1 Dvcrn | 1 Markright | 2026-04-15 | 7.2 High |
| Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim's system. | ||||
| CVE-2020-36827 | 2026-04-15 | 5.4 Medium | ||
| The XAO::Web module before 1.84 for Perl mishandles < and > characters in JSON output during use of json-embed in Web::Action. | ||||
| CVE-2021-47840 | 1 Moeditor | 1 Moeditor | 2026-04-15 | 7.2 High |
| Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim's system. | ||||
| CVE-2025-67991 | 2 Vanquish, Wordpress | 2 User Extra Fields, Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Reflected XSS.This issue affects User Extra Fields: from n/a through <= 16.8. | ||||
| CVE-2021-47837 | 2 Amitmerchant1990, Matthewwithanm | 2 Markdownify, Markdownify | 2026-04-15 | 7.2 High |
| Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution. | ||||
| CVE-2025-27704 | 2026-04-15 | N/A | ||
| There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.53. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the second administrator logs in. Attack complexity is high, attack requirements are present, privileges required are none, user interaction is required. The impact to confidentiality is low, the impact to availability is none, and the impact to system integrity is none. | ||||
| CVE-2025-59430 | 2026-04-15 | 8.2 High | ||
| Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically indistinguishable from a real page at the rendering level and allows access to the parent page DOM, storage, session, and cookies. If the attacker can specify customIframeId, they can hijack the source of existing iframes. This issue has been patched in version 3.3.2. | ||||
| CVE-2025-59095 | 1 Dormakaba | 1 Kaba Exos 9300 | 2026-04-15 | N/A |
| The program libraries (DLL) and binaries used by exos 9300 contain multiple hard-coded secrets. One notable example is the function "EncryptAndDecrypt" in the library Kaba.EXOS.common.dll. This algorithm uses a simple XOR encryption technique combined with a cryptographic key (cryptoKey) to transform each character of the input string. However, it's important to note that this implementation does not provide strong encryption and should not be considered secure for sensitive data. It's more of a custom encryption approach rather than a common algorithm used in cryptographic applications. The key itself is static and based on the founder's name of the company. The functionality is for example used to encrypt the user PINs before storing them in the MSSQL database. | ||||
| CVE-2021-47855 | 2 Litespeed Technologies, Litespeedtech | 2 Openlitespeed, Openlitespeed | 2026-04-15 | 7.2 High |
| Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an administrator clicks on the Default Icon. | ||||
| CVE-2024-9017 | 2026-04-15 | 6.4 Medium | ||
| The PeepSo Core: Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Group Description field in all versions up to, and including, 6.4.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2021-47858 | 1 Genexis | 2 Platinum-4410, Platinum-4410 Firmware | 2026-04-15 | 7.2 High |
| Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. Attackers can inject malicious scripts through the start source address field that will persist and trigger for privileged users when they access the security management page. | ||||