Export limit exceeded: 46292 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46292 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9971 | 1 Google | 1 Chrome | 2026-05-29 | 5.4 Medium |
| Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-9377 | 1 Sourcecodester | 1 Sup Online Shopping | 2026-05-29 | 2.4 Low |
| A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file /admin/productedit.php. The manipulation of the argument productName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-36324 | 1 Sourcecodester | 1 Doctor Appointment System | 2026-05-29 | N/A |
| SourceCodester Doctor Appointment System 1.0 is vulnerable to Cross Site Scripting (XSS) due to improper handling of user supplied input in the user registration functionality in register.php. | ||||
| CVE-2018-7795 | 1 Schneider-electric | 2 Powerlogic Pm5560, Powerlogic Pm5560 Firmware | 2026-05-29 | 5.4 Medium |
| A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code. | ||||
| CVE-2026-42401 | 1 Elastic | 1 Kibana | 2026-05-29 | 4.1 Medium |
| Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session. | ||||
| CVE-2026-45323 | 1 Jpettitt | 1 Meshcore-card | 2026-05-29 | 9.6 Critical |
| MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3. | ||||
| CVE-2026-48903 | 1 Joomla | 2 Joomla! Framework Filter Package, Joomla\! | 2026-05-29 | 6.1 Medium |
| Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | ||||
| CVE-2025-13167 | 1 Synology | 3 Contacts, Diskstation Manager, Synology Contacts | 2026-05-29 | 5.4 Medium |
| Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors. | ||||
| CVE-2025-22741 | 2 Ricetheme, Wordpress | 2 Felan Framework, Wordpress | 2026-05-29 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS. This issue affects Felan Framework: from n/a through 1.1.3. | ||||
| CVE-2025-52747 | 2 Jthemes, Wordpress | 2 Themebox - Digital Products Ecommerce, Wordpress | 2026-05-29 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS. This issue affects Themebox - Digital Products Ecommerce: from n/a through 1.4.2. | ||||
| CVE-2026-42728 | 2 Ht Plugins, Wordpress | 2 Ht Contact Form 7, Wordpress | 2026-05-29 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through <= 2.8.2. | ||||
| CVE-2026-42739 | 2 Inilerm, Wordpress | 2 Advanced Ip Blocker, Wordpress | 2026-05-29 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IniLerm Advanced IP Blocker advanced-ip-blocker allows DOM-Based XSS.This issue affects Advanced IP Blocker: from n/a through <= 8.10.7. | ||||
| CVE-2026-42750 | 2 Nexcess, Wordpress | 2 Wpcomplete, Wordpress | 2026-05-29 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nexcess WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <= 2.9.5.4. | ||||
| CVE-2026-42754 | 2 Phbernard, Wordpress | 2 Favicon, Wordpress | 2026-05-29 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in phbernard Favicon favicon-by-realfavicongenerator allows Reflected XSS.This issue affects Favicon: from n/a through <= 1.3.46. | ||||
| CVE-2026-47119 | 1 3clyp50 | 1 Agent-zero | 2026-05-29 | 6.1 Medium |
| Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the image_get API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers. Attackers can place a crafted SVG file containing script tags in any path readable by the agent-zero process and lure an authenticated user to the image_get endpoint, causing the browser to execute the malicious script, steal the csrf_token cookie, and perform unauthorized API calls on behalf of the victim. | ||||
| CVE-2026-2374 | 2 Robertpeake, Wordpress | 2 Login No Captcha Recaptcha, Wordpress | 2026-05-29 | 7.2 High |
| The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, 1.8.0. This is due to the `authenticate()` function storing the unsanitized output of `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address visits the WordPress dashboard within 30 seconds of the attack. | ||||
| CVE-2026-9644 | 2 Nhadjidimitrov, Wordpress | 2 Livesmart Video Chat Live Video Chat, Wordpress | 2026-05-29 | 6.4 Medium |
| The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-9806 | 1 Misp | 1 Cti-transmute | 2026-05-29 | N/A |
| A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch. | ||||
| CVE-2026-6427 | 2 A3rev, Wordpress | 2 A3 Lazy Load, Wordpress | 2026-05-29 | 6.4 Medium |
| The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post. | ||||
| CVE-2026-7660 | 2 Davidanderson, Wordpress | 2 Easy Updates Manager, Wordpress | 2026-05-29 | 6.1 Medium |
| The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link. | ||||