Export limit exceeded: 47124 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47124 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3644 | 1 Python | 2 Cpython, Python | 2026-06-30 | 7.5 High |
| The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). | ||||
| CVE-2026-50229 | 1 Apache | 1 Tomcat | 2026-06-30 | 6.1 Medium |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue. | ||||
| CVE-2026-8896 | 2 Mirsoftware, Wordpress | 2 Mir Blocks And Shortcodes, Wordpress | 2026-06-30 | 6.4 Medium |
| The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes inside the msc_stats() rendering function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-41539 | 2 Qnap, Qnap Systems Inc. | 4 Qts, Quts Hero, Qts and 1 more | 2026-06-30 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later | ||||
| CVE-2024-11831 | 1 Redhat | 34 Acm, Advanced Cluster Security, Ansible Automation Platform and 31 more | 2026-06-29 | 5.4 Medium |
| A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. | ||||
| CVE-2026-57320 | 2 Realmag777, Wordpress | 2 Bear, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions. | ||||
| CVE-2026-57337 | 2 Pluginops, Wordpress | 2 Landing Page Builder, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Landing Page Builder <= 1.5.3.5 versions. | ||||
| CVE-2026-54889 | 1 Leandrocp | 1 Mdex | 2026-06-29 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization. An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers. This issue affects mdex: from 0.8.3 before 0.13.2. | ||||
| CVE-2026-57333 | 2 Spencer Haws, Wordpress | 2 Link Whisper Free, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Link Whisper Free <= 0.9.4 versions. | ||||
| CVE-2026-57336 | 2 Astoundify, Wordpress | 2 Jobify, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Jobify <= 4.3.2 versions. | ||||
| CVE-2026-57338 | 2 Reputeinfosystems, Wordpress | 2 Arforms, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in ARForms <= 7.1.2 versions. | ||||
| CVE-2026-50765 | 1 Koha | 1 Library Management System | 2026-06-29 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field). | ||||
| CVE-2026-50767 | 1 Koha | 1 Library Management System | 2026-06-29 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg). | ||||
| CVE-2025-68074 | 2 Ghozylab, Wordpress | 2 Image Carousel, Wordpress | 2026-06-29 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions. | ||||
| CVE-2025-68075 | 2 Kerry, Wordpress | 2 Bne Testimonials, Wordpress | 2026-06-29 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions. | ||||
| CVE-2026-56039 | 2 Wordpress, Wordpress.com | 2 Wordpress, Quick Interest Slider | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Quick Interest Slider <= 3.1.6 versions. | ||||
| CVE-2026-56040 | 2 Wordpress, Wordpress.com | 2 Wordpress, Gutenverse Form | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Gutenverse Form <= 2.4.7 versions. | ||||
| CVE-2026-56047 | 2 Perfmatters, Powered Kinsta + Generatepress Docs Changelog Feature Requests Legal Affiliate Contact, Wordpress | 2 Perfmatters, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.3 versions. | ||||
| CVE-2026-57325 | 2 Jellywp, Wordpress | 2 Nanomag, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in NanoMag <= 1.8 versions. | ||||
| CVE-2026-57618 | 2 Themeisle, Wordpress | 2 Neve Pro, Wordpress | 2026-06-29 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions. | ||||