Export limit exceeded: 45961 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45961 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0716 | 2026-04-15 | 4.8 Medium | ||
| Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images. This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . | ||||
| CVE-2025-0643 | 1 Narkom | 1 Pyxis Signage | 2026-04-15 | 7.2 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Stored XSS.This issue affects Pyxis Signage: through 31012025. | ||||
| CVE-2025-0642 | 1 Poscube | 1 Assist | 2026-04-15 | 6.3 Medium |
| Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass.This issue affects Assist: through 10.02.2025. | ||||
| CVE-2024-9937 | 2 Prasidhda, Wordpress | 2 Woo Manage Fraud Orders, Wordpress | 2026-04-15 | 6.1 Medium |
| The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-29890 | 2026-04-15 | 8.8 High | ||
| DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. The problem was fixed in the datalens-ui version `0.1449.0`. Restricting access to the API for creating or modifying charts (`/charts/api/charts/v1/`) would mitigate the issue. | ||||
| CVE-2024-9451 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Embed PDF Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' and 'width' parameters in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-28091 | 2026-04-15 | 6.1 Medium | ||
| Technicolor TC8715D TC8715D-01.EF.04.38.00-180405-S-FF9-D RSE-TC8717T devices allow a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via User Defined Service in managed_services_add.asp (the victim must click an X for a deletion). | ||||
| CVE-2024-28089 | 2026-04-15 | 5.2 Medium | ||
| Hitron CODA-4582 2AHKM-CODA4589 7.2.4.5.1b8 devices allow a remote attacker within Wi-Fi proximity (who has access to the router admin panel) to conduct a DOM-based stored XSS attack that can fetch remote resources. The payload is executed at index.html#advanced_location (aka the Device Location page). This can cause a denial of service or lead to information disclosure. | ||||
| CVE-2024-9414 | 2026-04-15 | N/A | ||
| In LAquis SCADA version 4.7.1.511, a cross-site scripting vulnerability could allow an attacker to inject arbitrary code into a web page. This could allow an attacker to steal cookies, redirect users, or perform unauthorized actions. | ||||
| CVE-2025-6924 | 1 Talentsoftware | 1 Bap Automation | 2026-04-15 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software e-BAP Automation allows Reflected XSS.This issue affects e-BAP Automation: before 42957. | ||||
| CVE-2025-54737 | 2 Nootheme, Wordpress | 2 Jobmonster, Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Reflected XSS.This issue affects Jobmonster: from n/a through <= 4.7.8. | ||||
| CVE-2024-9371 | 2026-04-15 | 6.1 Medium | ||
| The Branda – White Label & Branding, Custom Login Page Customizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.19. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-27609 | 2026-04-15 | 6.5 Medium | ||
| Bonita before 2023.2-u2 allows stored XSS via a UI screen in the administration panel. | ||||
| CVE-2024-51419 | 1 Shenzhen Interconnection Harbor Network Technology | 1 Ofweek Online Exhibition | 2026-04-15 | 6.1 Medium |
| Cross Site Scripting vulnerability in Shenzhen Interconnection Harbor Network Technology Co., Ltd Ofweek Online Exhibition v.1.0.0 allows a remote attacker to execute arbitrary code. | ||||
| CVE-2024-51430 | 1 Sourcecodester | 1 Online Diagnostic Lab Management System | 2026-04-15 | 6.4 Medium |
| Cross Site Scripting vulnerability in online diagnostic lab management system using php v.1.0 allows a remote attacker to execute arbitrary code via the Test Name parameter on the diagnostic/add-test.php component. | ||||
| CVE-2024-51434 | 1 Froala | 1 Wysiwyg Editon | 2026-04-15 | 6.1 Medium |
| Inconsistent <plaintext> tag parsing allows for XSS in Froala WYSIWYG editor 4.3.0 and earlier. | ||||
| CVE-2024-8722 | 2026-04-15 | 5.5 Medium | ||
| The Import any XML or CSV File to WordPress PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-8720 | 2026-04-15 | 6.4 Medium | ||
| The RumbleTalk Live Group Chat – HTML5 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rumbletalk-admin-button' shortcode in all versions up to, and including, 6.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-8719 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters like 'MaxBeds' and 'MinBeds' in all versions up to, and including, 3.14.22 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-8718 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Gravity Forms Toolbar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||