Export limit exceeded: 10330 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44771 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28871 | 1 Apple | 5 Ios And Ipados, Ipados, Iphone Os and 2 more | 2026-04-02 | 4.3 Medium |
| A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website may lead to a cross-site scripting attack. | ||||
| CVE-2025-71276 | 1 Alinto | 1 Sogo | 2026-04-02 | 6.4 Medium |
| SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories. | ||||
| CVE-2025-41117 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-04-02 | 6.8 Medium |
| Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever. | ||||
| CVE-2025-69051 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Reflected XSS.This issue affects ListingPro Reviews: from n/a through < 2.9.11. | ||||
| CVE-2025-68864 | 2 Infility, Wordpress | 2 Infility Global, Wordpress | 2026-04-02 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.06. | ||||
| CVE-2026-27599 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-04-02 | 4.7 Medium |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0. | ||||
| CVE-2026-33044 | 1 Home-assistant | 2 Core, Home-assistant | 2026-04-02 | 5.4 Medium |
| Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue. | ||||
| CVE-2026-2466 | 2 Dukapress, Wordpress | 2 Dukapress, Wordpress | 2026-04-02 | 7.1 High |
| The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2025-13071 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 7.1 High |
| The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2026-25369 | 2 Flexmls, Wordpress | 2 Flexmls Idx, Wordpress | 2026-04-02 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls® IDX flexmls-idx allows Reflected XSS.This issue affects Flexmls® IDX: from n/a through <= 3.15.9. | ||||
| CVE-2025-50001 | 2 Tagdiv, Wordpress | 2 Tagdiv Composer, Wordpress | 2026-04-02 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2. | ||||
| CVE-2025-53222 | 2 Tagdiv, Wordpress | 2 Opt In Builder, Wordpress | 2026-04-02 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.3. | ||||
| CVE-2026-25438 | 2 Themehunk, Wordpress | 2 Gutenberg Blocks, Wordpress | 2026-04-02 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through <= 1.2.8. | ||||
| CVE-2026-25442 | 2 Qantumthemes, Wordpress | 2 Kentha, Wordpress | 2026-04-02 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha kentha allows Reflected XSS.This issue affects Kentha: from n/a through <= 4.7.2. | ||||
| CVE-2026-27068 | 2 Ryan Howard, Wordpress | 2 Website Llms.txt, Wordpress | 2026-04-02 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.This issue affects Website LLMs.txt: from n/a through <= 8.2.6. | ||||
| CVE-2026-33368 | 2 Synacor, Zimbra | 2 Zimbra Collaboration Suite, Collaboration | 2026-04-02 | 6.1 Medium |
| Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim. | ||||
| CVE-2026-33370 | 2 Synacor, Zimbra | 2 Zimbra Collaboration Suite, Collaboration | 2026-04-02 | 6.1 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user. | ||||
| CVE-2026-30578 | 1 Leefish | 1 File Thingie | 2026-04-02 | 6.5 Medium |
| File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code. | ||||
| CVE-2026-30579 | 1 Leefish | 1 File Thingie | 2026-04-02 | 6.5 Medium |
| File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload. | ||||
| CVE-2025-15605 | 1 Tp-link | 19 Archer Nx200, Archer Nx200 Firmware, Archer Nx200 V1.0 and 16 more | 2026-04-02 | 7.3 High |
| A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and integrity of device configuration data. | ||||