Export limit exceeded: 350456 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 350456 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 45912 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45912 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-4975 | 1 Redhat | 1 Advanced Cluster Security | 2026-04-15 | 8.9 High |
| A flaw was found in the Red Hat Advanced Cluster Security (RHACS) portal. When rendering a table view in the portal, for example, on any of the /main/configmanagement/* endpoints, the front-end generates a DOM table-element (id="pdf-table"). This information is then populated with unsanitized data using innerHTML. An attacker with some control over the data rendered can trigger a cross-site scripting (XSS) vulnerability. | ||||
| CVE-2025-10255 | 1 Onlyoffice | 1 Onlyoffice | 2026-04-15 | 3.5 Low |
| A vulnerability was determined in Ascensio System SIA OnlyOffice up to 12.7.0. Impacted is an unknown function of the file /Products/Projects/Messages.aspx of the component Comment Handler. Executing manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and replied: "We are already working on this case, and the issues will be resolved in one of the upcoming patches." | ||||
| CVE-2025-68859 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in agmorpheus Syntax Highlighter Compress syntax-highlighter-compress allows Reflected XSS.This issue affects Syntax Highlighter Compress: from n/a through <= 3.0.83.3. | ||||
| CVE-2024-11761 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The LegalWeb Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'legalweb-popup' shortcode in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11788 | 2026-04-15 | 6.4 Medium | ||
| The StreamWeasels YouTube Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sw-youtube-embed' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-10340 | 1 Whatcd | 1 Gazelle | 2026-04-15 | 3.5 Low |
| A vulnerability was determined in WhatCD Gazelle up to 63b337026d49b5cf63ce4be20fdabdc880112fa3. The affected element is an unknown function of the file /sections/tools/managers/change_log.php of the component Commit Message Handler. Executing manipulation of the argument Message can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | ||||
| CVE-2025-10434 | 1 Ibuyu | 1 Ibuyucms | 2026-04-15 | 2.4 Low |
| A vulnerability was identified in IbuyuCMS up to 2.6.3. Impacted is an unknown function of the file /admin/article.php?a=mod of the component Add Article Page. The manipulation of the argument Title leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | ||||
| CVE-2023-51513 | 2 Infinitumform, Wordpress | 2 Geo Controller, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. | ||||
| CVE-2025-64112 | 1 Statamic | 1 Cms | 2026-04-15 | 8 High |
| Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1. | ||||
| CVE-2025-15149 | 2026-04-15 | 2.4 Low | ||
| A vulnerability has been found in rawchen ecms up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. Affected by this vulnerability is the function updateProductServlet of the file src/servlet/product/updateProductServlet.java of the component Add New Product Page. The manipulation of the argument productName leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-9427 | 2 Lemonsoft, Wordpress | 2 Wordpress Add-on, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1. | ||||
| CVE-2025-10761 | 1 Harness | 1 Harness | 2026-04-15 | 3.7 Low |
| A vulnerability has been found in Harness 3.3.0. Affected is an unknown function of the file /api/v1/login of the component Login Endpoint. The manipulation leads to improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-9969 | 2026-04-15 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Vizly Web Design Real Estate Packages allows Content Spoofing, CAPEC - 593 - Session Hijacking, CAPEC - 591 - Reflected XSS.This issue affects Real Estate Packages: before 5.1. | ||||
| CVE-2025-9978 | 3 Elementor, Jegtheme, Wordpress | 3 Elementor, Jeg Elementor Kit, Wordpress | 2026-04-15 | 6.8 Medium |
| The Jeg Kit for Elementor WordPress plugin before 2.7.0 does not sanitize SVG file contents when uploaded via xmlrpc.php, leading to a cross site scripting vulnerability. | ||||
| CVE-2025-62413 | 1 Emqx | 1 Mqttx | 2026-04-15 | 6.1 Medium |
| MQTTX is an MQTT 5.0 desktop client and MQTT testing tool. A Cross-Site Scripting (XSS) vulnerability was introduced in MQTTX v1.12.0 due to improper handling of MQTT message payload rendering. Malicious payloads containing HTML or JavaScript could be rendered directly in the MQTTX message viewer. If exploited, this could allow attackers to execute arbitrary scripts in the context of the application UI — for example, attempting to access MQTT connection credentials or trigger unintended actions through script injection. This vulnerability is especially relevant when MQTTX is used with brokers in untrusted or multi-tenant environments, where message content cannot be fully controlled. This vulnerability is fixed in 1.12.1. | ||||
| CVE-2025-1393 | 2026-04-15 | 9.8 Critical | ||
| An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product. | ||||
| CVE-2025-15371 | 1 Tenda | 7 4g03 Pro, 4g05, 4g08 and 4 more | 2026-04-15 | 7.8 High |
| A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2018-25157 | 1 Phraseanet | 1 Phraseanet Dam Open Source | 2026-04-15 | 6.4 Medium |
| Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or redirecting users when the file is viewed. | ||||
| CVE-2025-52570 | 2026-04-15 | N/A | ||
| Letmein is an authenticating port knocker. Prior to version 10.2.1, The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections. This issue has been patched in version 10.2.1. | ||||
| CVE-2025-62041 | 3 Codexthemes, Elementor, Wordpress | 3 Thegem, Elementor, Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor) thegem-elementor.This issue affects TheGem (Elementor): from n/a through <= 5.10.5.1. | ||||