Export limit exceeded: 46013 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46013 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-32866 | 2 Opexus, Opexustech | 2 Ecase, Ecase Ecomplaint | 2026-03-30 | 5.5 Medium |
| OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session. | ||||
| CVE-2026-32868 | 2 Opexus, Opexustech | 3 Ecase, Ecomplaint, Ecase Ecomplaint | 2026-03-30 | 5.5 Medium |
| OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session. | ||||
| CVE-2026-32869 | 2 Opexus, Opexustech | 3 Ecase, Ecomplaint, Ecase Ecomplaint | 2026-03-30 | 5.5 Medium |
| OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page. | ||||
| CVE-2026-32850 | 1 Mailenable | 1 Mailenable | 2026-03-30 | 6.1 Medium |
| MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the SelectedIndex parameter in the ManageShares.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript. | ||||
| CVE-2026-32852 | 1 Mailenable | 1 Mailenable | 2026-03-30 | 6.1 Medium |
| MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript. | ||||
| CVE-2026-33738 | 1 Lycheeorg | 1 Lychee | 2026-03-30 | 5.4 Medium |
| Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue. | ||||
| CVE-2026-33628 | 1 Invoiceninja | 1 Invoice Ninja | 2026-03-30 | 5.4 Medium |
| Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions. | ||||
| CVE-2026-33742 | 1 Invoiceninja | 1 Invoice Ninja | 2026-03-30 | 5.4 Medium |
| Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output. | ||||
| CVE-2026-30568 | 2 Ahsanriaz26gmailcom, Sourcecodester | 2 Inventory System, Inventory System | 2026-03-30 | 4.8 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | ||||
| CVE-2026-33758 | 1 Openbao | 1 Openbao | 2026-03-30 | 6.1 Medium |
| OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`. | ||||
| CVE-2026-5106 | 1 Code-projects | 1 Exam Form Submission | 2026-03-30 | 2.4 Low |
| A flaw has been found in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_fst.php. Executing a manipulation of the argument sname can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2022-34133 | 1 Jorani | 1 Jorani | 2026-03-30 | 6.1 Medium |
| Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php. | ||||
| CVE-2024-8604 | 1 Oretnom23 | 1 Online Food Ordering System | 2026-03-30 | 4.3 Medium |
| A vulnerability classified as problematic has been found in SourceCodester Online Food Ordering System 2.0. This affects an unknown part of the file index.php of the component Create an Account Page. The manipulation of the argument First Name/Last Name leads to cross site scripting. It is possible to initiate the attack remotely. | ||||
| CVE-2023-24191 | 1 Oretnom23 | 1 Online Food Ordering System | 2026-03-30 | 6.1 Medium |
| Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the redirect parameter in signup.php. | ||||
| CVE-2023-24197 | 1 Oretnom23 | 1 Online Food Ordering System | 2026-03-30 | 6.1 Medium |
| Online Food Ordering System v2 was discovered to contain a SQL injection vulnerability via the id parameter at view_order.php. | ||||
| CVE-2023-24195 | 1 Oretnom23 | 1 Online Food Ordering System | 2026-03-30 | 6.1 Medium |
| Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the page parameter in index.php. | ||||
| CVE-2023-24194 | 1 Oretnom23 | 1 Online Food Ordering System | 2026-03-30 | 6.1 Medium |
| Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the page parameter in navbar.php. | ||||
| CVE-2023-24192 | 1 Oretnom23 | 1 Online Food Ordering System | 2026-03-30 | 6.1 Medium |
| Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the redirect parameter in login.php. | ||||
| CVE-2023-0258 | 1 Oretnom23 | 1 Online Food Ordering System | 2026-03-30 | 2.4 Low |
| A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Category List Handler. The manipulation of the argument Reason with the input "><script>prompt(1)</script> leads to cross site scripting. The attack may be launched remotely. VDB-218186 is the identifier assigned to this vulnerability. | ||||
| CVE-2026-33932 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-03-30 | 7.6 High |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue. | ||||