Total
43154 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34032 | 1 Geoffrowland | 1 Jmol | 2026-04-07 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC. | ||||
| CVE-2024-58305 | 1 Wondercms | 1 Wondercms | 2026-04-07 | 8.8 High |
| WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link. | ||||
| CVE-2024-58304 | 1 Spa-cart | 2 Spa-cart, Spa-cartcms | 2026-04-07 | 7.5 High |
| SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers. | ||||
| CVE-2024-58292 | 2 Xmb Forum, Xmbforum2 | 2 Xmb, Xmb | 2026-04-07 | N/A |
| XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for all forum users when pages are rendered. | ||||
| CVE-2024-58289 | 1 Microweber | 1 Microweber | 2026-04-07 | 5.4 Medium |
| Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript. | ||||
| CVE-2023-53985 | 1 Zippy | 1 Zstore | 2026-04-07 | 6.1 Medium |
| Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context. | ||||
| CVE-2023-53978 | 1 Mybb | 1 Mybb | 2026-04-07 | 5.4 Medium |
| myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the announcement title field when adding announcements through the 'Forums and Posts' > 'Forum Announcements' interface, causing arbitrary JavaScript to execute when the announcement is displayed on the forum. | ||||
| CVE-2026-33406 | 1 Pi-hole | 1 Web | 2026-04-07 | 5.4 Medium |
| Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5. | ||||
| CVE-2023-53977 | 1 Mybb | 1 Mybb | 2026-04-07 | 5.4 Medium |
| myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the forum title field when adding new forums through the 'Forums and Posts' > 'Forum Management' interface, causing arbitrary JavaScript to execute when the forum listing is viewed. | ||||
| CVE-2023-53976 | 1 Mybb | 1 Mybb | 2026-04-07 | 5.4 Medium |
| myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in the template title field when adding new templates through the 'Templates and Style' > 'Templates' > 'Manage Templates' > 'Global Templates' interface, causing arbitrary JavaScript to execute when the template is viewed. | ||||
| CVE-2023-53953 | 1 Websitebaker | 1 Websitebaker | 2026-04-07 | 5.4 Medium |
| WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users. | ||||
| CVE-2023-53939 | 1 Tinywebgallery | 1 Tinywebgallery | 2026-04-07 | 5.4 Medium |
| TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages. | ||||
| CVE-2023-53938 | 1 Rockmongo | 1 Rockmongo | 2026-04-07 | 5.4 Medium |
| RockMongo 1.1.7 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple unencoded input parameters. Attackers can exploit the vulnerability by submitting crafted payloads in database, collection, and login parameters to execute arbitrary JavaScript in victim's browser. | ||||
| CVE-2023-53936 | 1 Tuzitio | 1 Camaleon Cms | 2026-04-07 | 4.8 Medium |
| Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript. | ||||
| CVE-2023-53932 | 1 S9y | 1 Serendipity | 2026-04-07 | 5.4 Medium |
| Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with JavaScript payloads that will execute when other users view the compromised blog post. | ||||
| CVE-2023-53931 | 1 Revive-adserver | 2 Adserver, Revive Adserver | 2026-04-07 | 6.1 Medium |
| Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to inject malicious scripts. Attackers can craft a malicious link to the banner-advanced.php endpoint with XSS payloads in prepend and append parameters to execute arbitrary JavaScript when an admin views the page. | ||||
| CVE-2023-53928 | 1 Php-fusion | 1 Phpfusion | 2026-04-07 | 5.4 Medium |
| PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks. | ||||
| CVE-2023-53927 | 2 Phpjabbers, Simple-cms Project | 2 Simple Cms, Simple Cms | 2026-04-07 | 5.4 Medium |
| PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators view the sections, potentially enabling client-side code execution. | ||||
| CVE-2023-53925 | 1 Ulicms | 1 Ulicms | 2026-04-07 | 6.1 Medium |
| UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users. | ||||
| CVE-2023-53920 | 1 Podcastgenerator | 1 Podcast Generator | 2026-04-07 | 5.4 Medium |
| PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the podcast title field accessible through the podcast details interface (podcast_details.php). Malicious JavaScript payloads injected into the podcast title execute when users visit the application's home page. | ||||