Export limit exceeded: 362531 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 47045 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47045 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-11092 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The SVGPlus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVE-2024-33819 1 Globitel 1 Speechlog 2026-04-15 4.6 Medium
Globitel KSA SpeechLog v8.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Save Query function.
CVE-2024-28034 2026-04-15 5.4 Medium
Cross-site scripting vulnerability exists in Mini Thread Version 3.33βi. An arbitrary script may be executed on the web browser of the user accessing the website that uses the product. Note that the developer was unreachable, therefore, users should consider stop using Mini Thread Version 3.33βi.
CVE-2024-12626 2026-04-15 9.6 Critical
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin's import and code action feature, this vulnerability can be leveraged to execute arbitrary code.
CVE-2025-12289 1 Sui Shang Information Technology 1 Multi-user Mall System 2026-04-15 4.3 Medium
A flaw has been found in Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0. Affected by this vulnerability is an unknown functionality of the file /Point/index/activity_state/1/category_id/1001. Executing manipulation of the argument category_id can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-10886 2026-04-15 6.4 Medium
The Tribute Testimonials – WordPress Testimonial Grid/Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tribute_testimonials_slider' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-12870 1 Infiniflow 1 Ragflow 2026-04-15 N/A
A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' content type, which is automatically rendered by browsers. This can lead to the execution of arbitrary JavaScript in the context of the user's browser, potentially allowing attackers to steal cookies and gain unauthorized access to user files and resources. The vulnerability does not require authentication, making it accessible to anyone with network access to the instance.
CVE-2024-33329 1 Lumis 1 Lumis Experience Platform 2026-04-15 7.5 High
A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information.
CVE-2024-10887 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The NiceJob plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes (nicejob-lead, nicejob-review, nicejob-engage, nicejob-badge, nicejob-stories) in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-29022 2026-04-15 8.8 High
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this issue.
CVE-2023-51219 2026-04-15 9.6 Critical
A deep link validation issue in KakaoTalk 10.4.3 allowed a remote adversary to direct users to run any attacker-controlled JavaScript within a WebView. The impact was further escalated by triggering another WebView that leaked its access token in a HTTP request header. Ultimately, this access token could be used to take over another user's account and read her/his chat messages.
CVE-2025-68037 2 Atlasgondal, Wordpress 2 Export Media Urls, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atlas Gondal Export Media URLs export-media-urls allows Reflected XSS.This issue affects Export Media URLs: from n/a through <= 2.2.
CVE-2024-28895 2026-04-15 6.1 Medium
'Yahoo! JAPAN' App for Android v2.3.1 to v3.161.1 and 'Yahoo! JAPAN' App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of 'Yahoo! JAPAN' App via other app installed on the user's device.
CVE-2024-11032 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Parsi Date plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2024-10923 1 Opentext 1 Alm Octane 2026-04-15 N/A
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ ALM Octane Management allows Stored XSS. The vulnerability could result in a remote code execution attack. This issue affects ALM Octane Management: from 16.2.100 through 24.4.
CVE-2024-28747 1 Ifm 2 Smart Plc Ac14xx Firmware, Smart Plc Ac4xxs Firmware 2026-04-15 9.8 Critical
An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges.
CVE-2021-1444 2026-04-15 6.1 Medium
A vulnerability in the web services interface of Cisco&nbsp;Adaptive Security Appliance (ASA) Software and Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information.Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.This advisory is part of the October 2021 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see .
CVE-2024-28728 1 Dlink 1 Dwr-2000m 2026-04-15 6.6 Medium
Cross Site Scripting vulnerability in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to obtain sensitive information via a crafted payload to the WiFi SSID Name field.
CVE-2024-10926 1 Ibphoenix 1 Ibwebadmin 2026-04-15 3.5 Low
A vulnerability was found in IBPhoenix ibWebAdmin up to 1.0.2 and classified as problematic. This issue affects some unknown processing of the file /toggle_fold_panel.php of the component Tabelas Section. The manipulation of the argument p leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-3138 2026-04-15 3.5 Low
** DISPUTED ** A vulnerability was found in francoisjacquet RosarioSIS 11.5.1. It has been rated as problematic. This issue affects some unknown processing of the component Add Portal Note. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The associated identifier of this vulnerability is VDB-258911. NOTE: The vendor explains that the PDF is opened by the browser app in a sandbox, so no data from the website should be accessible.