Export limit exceeded: 45767 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45767 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28120 | 1 Redhat | 1 Logging | 2026-04-15 | 5.3 Medium |
| There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. | ||||
| CVE-2023-28362 | 1 Redhat | 1 Satellite | 2026-04-15 | 4 Medium |
| The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. | ||||
| CVE-2025-58765 | 2026-04-15 | 7.1 High | ||
| wabac.js provides a full web archive replay system, or 'wayback machine', using Service Workers. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter `requestURL` (derived from the original request target) is directly embedded into an inline `<script>` block without sanitization or escaping. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies, depending on the situation in which wabac.js is used. The vulnerability is fixed in wabac.js v2.23.11. | ||||
| CVE-2025-11962 | 1 Divvydrive | 1 Digital Corporate Warehouse | 2026-04-15 | 7.3 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DivvyDrive Information Technologies Inc. Digital Corporate Warehouse allows Stored XSS.This issue affects Digital Corporate Warehouse: before v.4.8.2.22. | ||||
| CVE-2024-12529 | 2026-04-15 | 6.4 Medium | ||
| The brodos.net Onlineshop Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'BrodosCategory' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-12701 | 2026-04-15 | 6.1 Medium | ||
| The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-27434 | 2026-04-15 | 8.8 High | ||
| Due to insufficient input validation, SAP Commerce (Swagger UI) allows an unauthenticated attacker to inject the malicious code from remote sources, which can be leveraged by an attacker to execute a cross-site scripting (XSS) attack. This could lead to a high impact on the confidentiality, integrity, and availability of data in SAP Commerce. | ||||
| CVE-2024-25662 | 2026-04-15 | 6.1 Medium | ||
| Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Cross-Site Scripting (XSS) for malicious URLs. | ||||
| CVE-2024-26367 | 2026-04-15 | 6.1 Medium | ||
| Cross Site Scripting vulnerability in Evertz microsystems MViP-II Firmware 8.6.5, XPS-EDGE-* Build 1467, evEDGE-EO-* Build 0029, MMA10G-* Build 0498, 570IPG-X19-10G Build 0691 allows a remote attacker to execute arbitrary code via a crafted payload to the login parameters. | ||||
| CVE-2024-27593 | 1 Eramba | 1 Eramba | 2026-04-15 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Filter function of Eramba Version 3.22.3 Community Edition allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the filter name field. This vulnerability has been fixed in version 3.23.0. | ||||
| CVE-2024-34582 | 1 Sunhillo | 1 Sureline | 2026-04-15 | 6.1 Medium |
| Sunhillo SureLine through 8.10.0 on RICI 5000 devices allows cgi/usrPasswd.cgi userid_change XSS within the Forgot Password feature. | ||||
| CVE-2024-35621 | 2026-04-15 | 4.8 Medium | ||
| A cross-site scripting (XSS) vulnerability in the Edit function of Formwork before 1.13.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content field. | ||||
| CVE-2024-35627 | 1 Tileserver | 1 Tileservergl | 2026-04-15 | 6.1 Medium |
| tileserver-gl up to v4.4.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /data/v3/?key. | ||||
| CVE-2025-32960 | 2026-04-15 | 6.4 Medium | ||
| The CUBA REST API add-on performs operations on data and entities. Prior to version 7.2.7, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 7.2.7. A workaround is provided on the Jmix documentation website. | ||||
| CVE-2025-50183 | 2026-04-15 | 6.5 Medium | ||
| OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability. This issue has been patched in version 4.0.0-rc.4. | ||||
| CVE-2024-57790 | 2026-04-15 | 5.4 Medium | ||
| IXON B.V. IXrouter IX2400 (Industrial Edge Gateway) v3.0 was discovered to contain hardcoded root credentials stored in the non-volatile flash memory. This vulnerability allows physically proximate attackers to gain root access via UART or SSH. | ||||
| CVE-2025-27705 | 2026-04-15 | N/A | ||
| There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.53. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the second administrator logs in. Attack complexity is high, attack requirements are present, privileges required are none, user interaction is required. The impact to confidentiality is low, the impact to availability is none, and the impact to system integrity is none. | ||||
| CVE-2025-11682 | 1 Perx Technologies | 1 Customer Engagement & Loyalty Platform | 2026-04-15 | N/A |
| Stored cross-site scripting (XSS) vulnerability in the LMT Dashboard of the Perx Customer Engagement & Loyalty Platform allows an authenticated attacker to execute arbitrary JavaScript code in a victim's browser. The vulnerability is due to improper sanitization of SVG file uploads. An attacker can upload a malicious SVG file containing a script payload to a campaign. When another user views this image on the public LMT microsite, the script executes, which can lead to session hijacking, data theft, or other unauthorized actions.This issue affects Customer Engagement & Loyalty Platform before 4.617.4. | ||||
| CVE-2022-3399 | 2026-04-15 | 4.4 Medium | ||
| The Cookie Notice & Compliance for GDPR / CCPA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cookie_notice_options[refuse_code_head]' parameter in versions up to, and including, 2.4.17.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative privileges and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected /wp-admin/admin.php?page=cookie-notice page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-25304 | 2026-04-15 | N/A | ||
| Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the `vlSelectionTuples` function can be used to call JavaScript functions, leading to cross-site scripting.`vlSelectionTuples` calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. This can be used to call `Function()` with arbitrary JavaScript and the resulting function can be called with `vlSelectionTuples` or using a type coercion to call `toString` or `valueOf`. Version 5.26.0 of vega and 5.4.2 of vega-selections fix this issue. | ||||