Export limit exceeded: 45595 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45595 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2154 | 3 Pamzey, Patrick Mvuma, Sourcecodester | 3 Patients Waiting Area Queue Management System, Patients Waiting Area Queue Management System, Patients Waiting Area Queue Management System | 2026-04-17 | 4.3 Medium |
| A vulnerability was identified in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Impacted is an unknown function of the file /registration.php of the component Patient Registration Module. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | ||||
| CVE-2026-35600 | 2 Go-vikunja, Vikunja | 2 Vikunja, Vikunja | 2026-04-17 | 5.4 Medium |
| Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0. | ||||
| CVE-2026-2201 | 1 Zerowdd | 1 Studentmanager | 2026-04-17 | 2.4 Low |
| A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. The manipulation of the argument Reason for Leave leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The code repository of the project has not been active for many years. | ||||
| CVE-2026-2214 | 2 Code-projects, Fabian | 2 For Plugin, Online Music Site | 2026-04-17 | 2.4 Low |
| A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. This manipulation of the argument txtalbum causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-2222 | 2 Code-projects, Fabian | 2 Online Reviewer System, Online Reviewer System | 2026-04-17 | 2.4 Low |
| A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. Executing a manipulation of the argument firstname can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-25847 | 1 Jetbrains | 1 Pycharm | 2026-04-17 | 8.2 High |
| In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible | ||||
| CVE-2026-1959 | 1 Loggro Pymes | 1 Loggro Pymes | 2026-04-17 | N/A |
| Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'descripción' parameter in the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint. | ||||
| CVE-2026-1960 | 1 Loggro Pymes | 1 Loggro Pymes | 2026-04-17 | N/A |
| Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'Facebook' parameter in '/loggrodemo/jbrain/ConsultaTerceros' endpoint. | ||||
| CVE-2026-25491 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-04-17 | 4.8 Medium |
| Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22. | ||||
| CVE-2026-32893 | 1 Chamilo | 1 Chamilo Lms | 2026-04-17 | 5.4 Medium |
| Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3. | ||||
| CVE-2025-65734 | 2 Gunet, Openeclass | 2 Open Eclass, Openeclass | 2026-04-17 | 5.4 Medium |
| An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file. | ||||
| CVE-2026-24325 | 2 Sap, Sap Se | 2 Businessobjects Enterprise, Sap Businessobjects Enterprise (central Management Console) | 2026-04-17 | 4.8 Medium |
| SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.This vulnerability has low impact on confidentiality and integrity of the data. There is no impact on the availability of the application. | ||||
| CVE-2026-2099 | 1 Flowring | 1 Agentflow | 2026-04-17 | 5.4 Medium |
| AgentFlow developed by Flowring has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load. | ||||
| CVE-2026-27787 | 1 Icz | 2 Matcha Sns, Matchasns | 2026-04-17 | N/A |
| Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. | ||||
| CVE-2026-26079 | 1 Roundcube | 1 Webmail | 2026-04-17 | 4.7 Medium |
| Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled. | ||||
| CVE-2026-0595 | 1 Gitlab | 1 Gitlab | 2026-04-17 | 7.3 High |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test case titles. | ||||
| CVE-2026-2337 | 1 Plunet | 1 Business Manager | 2026-04-17 | N/A |
| A vulnerability in Plunet Plunet BusinessManager allows session hijacking, data theft, unauthorized actions on behalf of the user.This issue affects Plunet BusinessManager: 10.15.1. | ||||
| CVE-2026-25759 | 1 Statamic | 2 Cms, Statamic | 2026-04-17 | 8.7 High |
| Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3. | ||||
| CVE-2026-25935 | 2 Go-vikunja, Vikunja | 2 Vikunja, Vikunja | 2026-04-17 | 5.4 Medium |
| Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0. | ||||
| CVE-2026-26023 | 2 Dify, Langgenius | 2 Dify, Dify | 2026-04-17 | 6.1 Medium |
| Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript payload will be executed. This vulnerability is fixed in 1.13.0. | ||||