Export limit exceeded: 47332 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47332 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-56761 | 1 Hono | 1 Hono | 2026-06-24 | 4.3 Medium |
| hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters like quotes or angle brackets to break html tag boundaries and inject arbitrary attributes or elements. | ||||
| CVE-2026-9643 | 2 Joomunited, Wordpress | 2 Wp Meta Seo, Wordpress | 2026-06-24 | 7.2 High |
| The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`). | ||||
| CVE-2026-9620 | 2 Joomunited, Wordpress | 2 Wp Latest Posts, Wordpress | 2026-06-24 | 6.4 Medium |
| The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field() and loop() functions, which extract the raw src attribute value from <img> tags within post_content using a regular expression and then reconstruct new <img> elements or CSS background-image declarations by directly concatenating the unescaped value — bypassing WordPress's kses filtering entirely. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-34915 | 1 Revive | 1 Adserver | 2026-06-24 | N/A |
| A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script are properly validated. | ||||
| CVE-2026-44960 | 1 Revive | 1 Adserver | 2026-06-24 | N/A |
| A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to the audit log details output. | ||||
| CVE-2026-44956 | 1 Revive | 1 Adserver | 2026-06-24 | N/A |
| Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table. An admin user viewing the email content through userlog-details.php would have any malicious JavaScript payload executed due to missing output sanitisation. Proper escaping has been added to the userlog details output. | ||||
| CVE-2026-53929 | 1 Nocodb | 1 Nocodb | 2026-06-23 | N/A |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. This vulnerability is fixed in 2026.05.1. | ||||
| CVE-2026-53662 | 1 Immich-app | 1 Immich | 2026-06-23 | 9.6 Critical |
| immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003. | ||||
| CVE-2026-5233 | 1 Mia Technology | 1 Pizzy Library | 2026-06-23 | 7.1 High |
| Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. | ||||
| CVE-2025-15658 | 2 Rewish, Wordpress | 2 Wp Emmet, Wordpress | 2026-06-23 | 5.9 Medium |
| Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions. | ||||
| CVE-2025-15659 | 2 Liseperu, Wordpress | 2 Elizaibots, Wordpress | 2026-06-23 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions. | ||||
| CVE-2026-49294 | 1 Valhalla | 1 Valhalla | 2026-06-23 | 6.1 Medium |
| Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication. | ||||
| CVE-2025-68840 | 2 Markbeljaars, Wordpress | 2 Irobots.txt Seo, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions. | ||||
| CVE-2025-68851 | 2 Arrayhq, Wordpress | 2 Okay Toolkit, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions. | ||||
| CVE-2025-68872 | 2 Eli, Wordpress | 2 Eli's Wordcents Adsense Widget With Analytics, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions. | ||||
| CVE-2026-39507 | 2 Themeisle, Wordpress | 2 Social Slider Feed, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions. | ||||
| CVE-2026-39540 | 2 Amit Mittal, Wordpress | 2 Shipment Tracker For Woocommerce, Wordpress | 2026-06-23 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in Shipment Tracker for Woocommerce <= 1.5.3.2 versions. | ||||
| CVE-2026-42649 | 2 Archetyped, Wordpress | 2 Favicon Rotator, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions. | ||||
| CVE-2026-42650 | 2 Ruben Garcia, Wordpress | 2 Automatorwp, Wordpress | 2026-06-23 | 7.2 High |
| Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions. | ||||
| CVE-2026-42656 | 2 Wasiliy Strecker, Wordpress | 2 Contest Gallery, Wordpress | 2026-06-23 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in Contest Gallery <= 28.1.6 versions. | ||||