Export limit exceeded: 44591 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44591 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-31823 | 1 Sylius | 1 Sylius | 2026-03-11 | 4.8 Medium |
| Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like <img src=x onerror=alert('XSS')> is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above. | ||||
| CVE-2026-30830 | 1 Kepano | 1 Defuddle | 2026-03-11 | 6.1 Medium |
| Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0. | ||||
| CVE-2026-30972 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-11 | 7.5 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23. | ||||
| CVE-2026-30841 | 2 Ellite, Wallosapp | 2 Wallos, Wallos | 2026-03-11 | 6.1 Medium |
| Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2. | ||||
| CVE-2026-29186 | 2 Backstage, Linuxfoundation | 2 Backstage, Backstage Plugin-techdocs-node | 2026-03-11 | 7.7 High |
| Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3. | ||||
| CVE-2026-30948 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-11 | 5.4 Medium |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from localStorage and achieve account takeover. The default fileExtensions option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected. This vulnerability is fixed in 9.5.2-alpha.4 and 8.6.17. | ||||
| CVE-2026-29175 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-03-11 | 5.4 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3. | ||||
| CVE-2026-29173 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-03-11 | 4.8 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3. | ||||
| CVE-2025-70846 | 1 Lty628 | 1 Aidigu | 2026-03-11 | 7.1 High |
| lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) on the /tools/Password/add page in the input field password. | ||||
| CVE-2026-29176 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-03-11 | 4.8 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3. | ||||
| CVE-2026-29177 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-03-11 | 5.4 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3. | ||||
| CVE-2026-30977 | 1 Lihaohong6 | 1 Renderblocking | 2026-03-11 | N/A |
| RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This vulnerability is fixed in 0.1.1. | ||||
| CVE-2026-2569 | 2 Dearhive, Wordpress | 2 Dear Flipbook – Pdf Flipbook, 3d Flipbook, Pdf Embed, Pdf Viewer, Wordpress | 2026-03-11 | 6.4 Medium |
| The Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via PDF page labels in all versions up to, and including, 2.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-41710 | 2 Janitza, Weidmueller | 4 Umg 96rm-e 230v(5222062), Umg 96rm-e 24v(5222063), Energy Meter 750-230 (2540910000) and 1 more | 2026-03-11 | 6.5 Medium |
| An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges. | ||||
| CVE-2025-70033 | 1 Sunbird-ed | 1 Sunbirded-portal | 2026-03-11 | 5.4 Medium |
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. | ||||
| CVE-2025-13902 | 1 Schneider-electric | 2 Modicon Controllers M241/m251, Modicon Controllers M258/lmc058 | 2026-03-11 | N/A |
| CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload. | ||||
| CVE-2025-36173 | 1 Ibm | 2 Infosphere Data Architect, Infosphere Data Replication | 2026-03-11 | 6.1 Medium |
| Affected Product(s)Version(s)InfoSphere Data Architect9.2.1 | ||||
| CVE-2025-13957 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2026-03-11 | N/A |
| CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default. | ||||
| CVE-2025-70025 | 1 Benkeen | 1 Generatedata | 2026-03-11 | 6.1 Medium |
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in benkeen generatedata 4.0.14. | ||||
| CVE-2026-1261 | 2 Wordpress, Wpmet | 2 Wordpress, Metform Pro | 2026-03-11 | 7.2 High |
| The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||