Export limit exceeded: 45471 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45471 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59025 | 1 Open-xchange | 1 Ox App Suite | 2026-04-15 | 6.1 Medium |
| Malicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known | ||||
| CVE-2025-59096 | 1 Dormakaba | 1 Kaba Exos 9300 | 2026-04-15 | N/A |
| The default password for the extended admin user mode in the application U9ExosAdmin.exe ("Kaba 9300 Administration") is hard-coded in multiple locations as well as documented in the locally stored user documentation. | ||||
| CVE-2025-59135 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5. | ||||
| CVE-2025-59332 | 1 3dalloy Project | 1 3dalloy | 2026-04-15 | 8.6 High |
| 3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not sanitized, which means that arbitrary JavaScript can be inserted and executed. | ||||
| CVE-2024-5380 | 2026-04-15 | 3.5 Low | ||
| A vulnerability classified as problematic has been found in jsy-1 short-url 1.0.0. Affected is an unknown function of the file admin.php. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is 35c790897d6979392bc6f60707fc32da13a98b63. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-266292. | ||||
| CVE-2025-7920 | 2026-04-15 | 6.1 Medium | ||
| WinMatrix3 Web package developed by Simopro Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | ||||
| CVE-2025-14063 | 2 Seomantis, Wordpress | 2 Seo Links Interlinking, Wordpress | 2026-04-15 | 6.1 Medium |
| The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.9.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-59574 | 2 Wordpress, Wptravelengine | 2 Wordpress, Wp Travel Engine | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Travel Engine WP Travel Engine wte-elementor-widgets allows Stored XSS.This issue affects WP Travel Engine: from n/a through <= 1.4.2. | ||||
| CVE-2025-59583 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Filter Everything penci-filter-everything allows DOM-Based XSS.This issue affects Penci Filter Everything: from n/a through < 1.7. | ||||
| CVE-2025-59587 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Shortcodes & Performance penci-shortcodes allows DOM-Based XSS.This issue affects Penci Shortcodes & Performance: from n/a through < 6.1. | ||||
| CVE-2025-59592 | 3 Elementor, Fernando Acosta, Wordpress | 3 Elementor, Make Column Clickable Elementor, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fernando Acosta Make Column Clickable Elementor make-column-clickable-elementor allows Stored XSS.This issue affects Make Column Clickable Elementor: from n/a through <= 1.6.0. | ||||
| CVE-2025-5967 | 2026-04-15 | N/A | ||
| A stored cross-site scripting vulnerability in ENS HX 10.0.4 allows a malicious user to inject arbitrary HTML into the ENS HX Malware Scan Name field, resulting in the exposure of sensitive data. | ||||
| CVE-2024-32472 | 1 Excalidraw | 1 Excalidraw | 2026-04-15 | 6.1 Medium |
| excalidraw is an open source virtual hand-drawn style whiteboard. A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors. One rendering untrusted string as iframe's `srcdoc` without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing `allow-same-origin` sandbox flag (necessary for several embeds) resulted in the XSS. This vulnerability is fixed in 0.17.6 and 0.16.4. | ||||
| CVE-2024-53818 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPXPO PostX ultimate-post.This issue affects PostX: from n/a through <= 4.1.15. | ||||
| CVE-2025-4986 | 2026-04-15 | 8.7 High | ||
| A stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | ||||
| CVE-2025-7399 | 2 Muffingroup, Wordpress | 2 Betheme, Wordpress | 2026-04-15 | 6.4 Medium |
| The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via an Elementor display setting in all versions up to, and including, 28.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7400 | 2 Fifu, Wordpress | 2 Featured Image From Url, Wordpress | 2026-04-15 | 6.4 Medium |
| The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 5.2.2. | ||||
| CVE-2025-13667 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-55890 | 1 Man-group | 1 Dtale | 2026-04-15 | N/A |
| D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users. | ||||
| CVE-2025-7781 | 2 Wordpress, Wp-jobhunt Project | 3 Wordpress, Wordpress Mu, Wp-jobhunt | 2026-04-15 | 6.4 Medium |
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Stored Cross-Site Scripting via the ‘cs_job_title’ parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||