Export limit exceeded: 44574 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44574 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69241 | 1 Raytha | 1 Raytha | 2026-03-24 | 5.4 Medium |
| Raytha CMS is vulnerable to Stored XSS via FirstName and LastName parameters in profile editing functionality. Authenticated attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version 1.4.6. | ||||
| CVE-2025-69242 | 1 Raytha | 1 Raytha | 2026-03-24 | 6.1 Medium |
| Raytha CMS is vulnerable to reflected XSS via the backToListUrl parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue was fixed in version 1.4.6. | ||||
| CVE-2025-69245 | 1 Raytha | 1 Raytha | 2026-03-24 | 6.1 Medium |
| Raytha CMS is vulnerable to Reflected XSS via returnUrl parameter in logon functionality. An attacker can craft a malicious URL which, when opened by the authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue was fixed in 1.4.6. | ||||
| CVE-2026-25369 | 2 Flexmls, Wordpress | 2 Flexmls Idx, Wordpress | 2026-03-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flexmls Flexmls® IDX allows Reflected XSS.This issue affects Flexmls® IDX: from n/a through 3.15.9. | ||||
| CVE-2025-2274 | 1 Forcepoint | 1 Web Security | 2026-03-24 | N/A |
| Improper Neutralization of Input During Web Page Generation in Forcepoint Web Security (On-Prem) on Windows allows Stored XSS.This issue affects Web Security through 8.5.6. | ||||
| CVE-2026-32040 | 1 Openclaw | 1 Openclaw | 2026-03-23 | 4.6 Medium |
| OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType attributes that break out of the img src data-URL context to achieve cross-site scripting when exported HTML is opened. | ||||
| CVE-2008-6027 | 1 Iss-oberlausitz | 1 Bluepage Cms | 2026-03-23 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in index.php in BLUEPAGE CMS 2.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) whl, (2) var_1, and (3) search parameters. | ||||
| CVE-2026-32843 | 1 Linkitonedevgroup | 1 Location Aware Sensor System (lass) | 2026-03-23 | N/A |
| Location Aware Sensor System by Linkit ONE, up to commit f06bd20 (2023-04-26), contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious URL containing unencoded payloads in the site, city, district, channel, or apikey parameters to execute scripts in victims' browsers when they visit the page. | ||||
| CVE-2026-29023 | 1 Keygraphhq | 1 Shannon | 2026-03-23 | 7.3 High |
| Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, resulting in unauthorized API usage and potential disclosure of proxied request and response data. This vulnerability's general exploitability has been mitigated with the introduction of commit 023cc95. | ||||
| CVE-2025-34521 | 1 Arcserve | 1 Udp | 2026-03-23 | 5.4 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by another user, execute arbitrary JavaScript in the victim’s browser. Successful exploitation may lead to session hijacking, credential theft, or other client-side impacts. The vulnerability requires user interaction and occurs within a shared browser context. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue. | ||||
| CVE-2025-34512 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2026-03-23 | 6.1 Medium |
| Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet. | ||||
| CVE-2025-34182 | 1 Opnsense | 1 Opnsense | 2026-03-23 | N/A |
| In Deciso OPNsense before 25.7.4, when creating an "Interfaces: Devices: Point-to-Point" entry, the value of the parameter ptpid is not sanitized of HTML-related characters/strings. This value is directly displayed when visiting the page/interfaces_assign.php, which can result in stored cross-site scripting. The attacker must be authenticated with at-least "Interfaces: PPPs: Edit" permission. This vulnerability has been addressed by the vendor in the product release notes as "ui: legacy_html_escape_form_data() was not escaping keys only data elements." | ||||
| CVE-2022-4979 | 1 Sitecore | 4 Cms, Experience Platform, Managed Cloud and 1 more | 2026-03-23 | N/A |
| A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected. | ||||
| CVE-2019-25291 | 1 Inim | 1 Smartliving Smartlan | 2026-03-23 | 7.5 High |
| INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models. | ||||
| CVE-2026-20162 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2026-03-23 | 6.3 Medium |
| In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | ||||
| CVE-2024-42210 | 1 Hcltech | 1 Unica | 2026-03-23 | 7.6 High |
| A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower. Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. | ||||
| CVE-2026-4165 | 1 Worksuite | 1 Hr, Crm And Project Management | 2026-03-23 | 2.4 Low |
| A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-4166 | 1 Wavlink | 2 Wl-nu516u1, Wl-nu516u1 Firmware | 2026-03-23 | 3.5 Low |
| A vulnerability was found in Wavlink WL-NU516U1 240425. The impacted element is the function sub_404F68 of the file /cgi-bin/login.cgi. The manipulation of the argument homepage/hostname results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-4168 | 1 Tecnick | 1 Tcexam | 2026-03-23 | 2.4 Low |
| A vulnerability was identified in Tecnick TCExam 16.5.0. This impacts an unknown function of the file /admin/code/tce_edit_group.php of the component Group Handler. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The presence of this vulnerability remains uncertain at this time. The affected component should be upgraded. The vendor explained: "I was not able to reproduce the same exploit as the TCExam version was already advanced in the meanwhile." Therefore, it can be assumed that this issue got fixed in a later release. | ||||
| CVE-2026-4169 | 1 Tecnick | 1 Tcexam | 2026-03-23 | 2.4 Low |
| A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector. | ||||