Export limit exceeded: 46898 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46898 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62042 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bastien Ho Event post event-post.This issue affects Event post: from n/a through <= 5.10.3. | ||||
| CVE-2025-62183 | 1 Pegasystems | 1 Pega Infinity | 2026-04-15 | N/A |
| Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low. | ||||
| CVE-2025-5007 | 2026-04-15 | 3.5 Low | ||
| A vulnerability was found in Part-DB up to 1.17.0. It has been declared as problematic. Affected by this vulnerability is the function handleUpload of the file src/Services/Attachments/AttachmentSubmitHandler.php of the component Profile Picture Feature. The manipulation of the argument attachment leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.17.1 is able to address this issue. The identifier of the patch is 2c4f44e808500db19c391159b30cb6142896d415. It is recommended to upgrade the affected component. | ||||
| CVE-2025-49933 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlog jet-blog allows Reflected XSS.This issue affects JetBlog: from n/a through <= 2.4.4. | ||||
| CVE-2023-49780 | 2026-04-15 | N/A | ||
| Cross-site scripting vulnerability exists in acmailer CGI ver.4.0.5 and earlier. An arbitrary script may be executed on the web browser of the user who accessed the management page of the affected product. | ||||
| CVE-2025-65095 | 1 Lookyloo | 1 Lookyloo | 2026-04-15 | N/A |
| Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to version 1.35.1, there is potential cross-site scripting on index and tree page. This issue has been patched in version 1.35.1. | ||||
| CVE-2025-48491 | 2026-04-15 | N/A | ||
| Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version. | ||||
| CVE-2025-33135 | 1 Ibm | 2 Financial Transaction Manager For Ach Services And Check Services For Multi-platform, Financial Transaction Manager For Ach Services And Check Services For Multi Platform | 2026-04-15 | 6.1 Medium |
| IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 through 3.0.5.4 Interim Fix 027 IBM Financial Transaction Manager for Check Services v3 (Multiplatforms) is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-68906 | 2 Jnews, Wordpress | 2 Jnews, Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS.This issue affects JNews - Video: from n/a through <= 11.0.2. | ||||
| CVE-2025-1175 | 2026-04-15 | 6.1 Medium | ||
| Reflected Cross-Site Scripting (XSS) vulnerability in Kelio Visio 1, Kelio Visio X7 and Kelio Visio X4, in versions between 3.2C and 5.1K. This vulnerability could allow an attacker to execute a JavaScript payload by making a POST request and injecting malicious code into the editable ‘username’ parameter of the ‘/PageLoginVisio.do’ endpoint. | ||||
| CVE-2025-24372 | 1 Ckan | 1 Ckan | 2026-04-15 | 7.3 High |
| CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability. This vulnerability has been fixed in CKAN 2.10.7 and 2.11.2. Users are advised to upgrade. On versions prior to CKAN 2.10.7 and 2.11.2, site maintainers can restrict the file types supported for uploading using the `ckan.upload.user.mimetypes` / `ckan.upload.user.types` and `ckan.upload.group.mimetypes` / `ckan.upload.group.types` config options. To entirely disable file uploads users can use: `ckan.upload.user.types = none` | ||||
| CVE-2025-62662 | 1 Mediawiki | 1 Mediawiki | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - AdvancedSearch Extension allows Stored XSS.This issue affects Mediawiki - AdvancedSearch Extension: from master before 1.39. | ||||
| CVE-2025-64194 | 2 Thimpress, Wordpress | 2 Eduma, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Eduma eduma allows Stored XSS.This issue affects Eduma: from n/a through <= 5.7.6. | ||||
| CVE-2020-36966 | 1 Dolibarr | 2 Dolibarr, Dolibarr Erp\/crm | 2026-04-15 | 6.4 Medium |
| Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information. | ||||
| CVE-2025-11278 | 1 Allstarlink | 2 Allmon2, Supermon | 2026-04-15 | 4.3 Medium |
| A security vulnerability has been detected in AllStarLink Supermon up to 6.2. This vulnerability affects unknown code of the component AllMon2. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-36109 | 2026-04-15 | 7.6 High | ||
| CoCalc is web-based software that enables collaboration in research, teaching, and scientific publishing. In affected versions the markdown parser allows `<script>` tags to be included which execute when published. This issue has been addressed in commit `419862a9c9879c`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-64200 | 3 Villatheme, Woocommerce, Wordpress | 3 Woocommerce Email Template Customizer, Woocommerce, Wordpress | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Email Template Customizer for WooCommerce email-template-customizer-for-woo allows Stored XSS.This issue affects Email Template Customizer for WooCommerce: from n/a through <= 1.2.17. | ||||
| CVE-2025-64204 | 2 Themesphere, Wordpress | 2 Smartmag, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeSphere SmartMag smart-mag allows Stored XSS.This issue affects SmartMag: from n/a through <= 10.3.1. | ||||
| CVE-2024-10108 | 2026-04-15 | 7.2 High | ||
| The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's adverts_add shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-4011 | 1 Redmine | 1 Redmine | 2026-04-15 | 3.5 Low |
| A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and classified as problematic. This vulnerability affects unknown code of the component Custom Query Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 6.0.4 is able to address this issue. It is recommended to upgrade the affected component. | ||||