Export limit exceeded: 46845 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46845 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42656 | 2 Wasiliy Strecker, Wordpress | 2 Contest Gallery, Wordpress | 2026-06-23 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in Contest Gallery <= 28.1.6 versions. | ||||
| CVE-2026-48871 | 2 Takashi Kitajima, Wordpress | 2 Mw Wp Form, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions. | ||||
| CVE-2026-48876 | 2 Web Guy, Wordpress | 2 Stop Spammers, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions. | ||||
| CVE-2026-48966 | 2 Funnelkit, Wordpress | 2 Funnel Builder By Funnelkit, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions. | ||||
| CVE-2026-52702 | 2 Wordpress, Wp-buy | 2 Wordpress, Seo Redirection | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions. | ||||
| CVE-2026-48157 | 1 Slimphp | 1 Slim | 2026-06-23 | 6.1 Medium |
| Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type. | ||||
| CVE-2026-10093 | 2 Deepakkite, Wordpress | 2 Secure Client Portal And Private File Sharing Plugin – User Private Files, Wordpress | 2026-06-23 | 6.4 Medium |
| The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-39437 | 2 Wordpress, Wpfactory | 2 Wordpress, Min Max Step Quantity Limits Manager For Woocommerce | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions. | ||||
| CVE-2026-54191 | 2 Pods Framework, Wordpress | 2 Pods, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions. | ||||
| CVE-2026-12425 | 1 Powerschool | 1 Employee Access Center | 2026-06-23 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user. | ||||
| CVE-2026-48294 | 1 Adobe | 1 Adobe Acrobat Pdf Extension (chrome) | 2026-06-23 | 7.4 High |
| Adobe Acrobat PDF Extension (Chrome) versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin data disclosure vulnerability. An attacker could exploit this vulnerability to gain access to data regarding the victim's session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed. | ||||
| CVE-2025-69104 | 2 Jkdevstudio, Wordpress | 2 Qreatix, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Qreatix <= 1.9.4 versions. | ||||
| CVE-2026-56265 | 1 Crawl4ai | 1 Crawl4ai | 2026-06-23 | 9.8 Critical |
| Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality. | ||||
| CVE-2026-11746 | 1 Ly Corporation | 1 Central Dogma | 2026-06-23 | N/A |
| A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster. | ||||
| CVE-2026-50178 | 1 Angular | 2 Angular, Angular.ng-template | 2026-06-23 | N/A |
| The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option (located in client/src/client.ts). This setting instructs VS Code to trust all rendered content it receives, which enables active elements such as command: URIs. However, the background Angular Language Server process fails to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding the hover Markdown content (located in server/src/handlers/hover.ts and server/src/text_render.ts). An attacker can leverage this behavior by crafting a project TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active command link. When a developer hovers over the target symbol to render the tooltip and clicks the malicious link, the IDE executes the command sequence directly on the developer's host machine. Prior to 21.2.4, This vulnerability is fixed in 21.2.4. | ||||
| CVE-2026-56263 | 1 Crawl4ai | 1 Crawl4ai | 2026-06-23 | 6.1 Medium |
| Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard. | ||||
| CVE-2026-10857 | 1 Akin | 1 E-commerce | 2026-06-23 | 6.1 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. E-Commerce allows Reflected XSS. This issue affects e-Commerce: before 1.25.01.06. | ||||
| CVE-2026-11772 | 1 Drimo | 1 Drimo Cms | 2026-06-23 | N/A |
| DRIMO CMS is vulnerable to Reflected XSS via q parameter in searching functionality. An attacker can prepare an URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is in End Of Life phase and will not receive any updates. However, deleting info.php file mitigates the vulnerability, | ||||
| CVE-2026-34694 | 5 Adobe, Apple, Google and 2 more | 7 Adobe Experience Manager, Experience Manager, Iphone Os and 4 more | 2026-06-23 | 4.8 Medium |
| Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | ||||
| CVE-2026-46547 | 2026-06-23 | 6.1 Medium | ||
| NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1. | ||||