Export limit exceeded: 45824 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45824 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-4668 | 2 Celomitan, Wordpress | 2 Gum Elementor Addon, Wordpress | 2026-04-15 | 6.4 Medium |
| The Gum Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Price Table and Post Slider widgets in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11723 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The kvCORE IDX plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter on pages with the kvcoreidx_listings_sitemap_ranges, kvcoreidx_listings_sitemap_page, kvcoreidx_agent_profile_sitemap, or kvcoreidx_agent_profile shortcode present in all versions up to, and including, 2.3.35 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-37063 | 2026-04-15 | 7.8 High | ||
| A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the browser. | ||||
| CVE-2024-22397 | 2026-04-15 | 8.3 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in the SonicOS SSLVPN portal allows a remote authenticated attacker as a firewall 'admin' user to store and execute arbitrary JavaScript code. | ||||
| CVE-2024-37166 | 2026-04-15 | 8.9 High | ||
| ghtml is software that uses tagged templates for template engine functionality. It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. Version 2.0.0 introduces changes to mitigate this issue. Version 2.0.0 contains updated documentation to clarify that while ghtml escapes characters with special meaning in HTML, it does not provide comprehensive protection against all types of XSS attacks in every scenario. This aligns with the approach taken by other template engines. Developers should be cautious and take additional measures to sanitize user input and prevent potential vulnerabilities. Additionally, the backtick character (`) is now also escaped to prevent the creation of strings in most cases where a malicious actor somehow gains the ability to write JavaScript. This does not provide comprehensive protection either. | ||||
| CVE-2024-37178 | 2026-04-15 | 5 Medium | ||
| SAP Financial Consolidation does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. These endpoints are exposed over the network. The vulnerability can exploit resources beyond the vulnerable component. On successful exploitation, an attacker can cause limited impact to confidentiality of the application. | ||||
| CVE-2024-2259 | 2026-04-15 | N/A | ||
| This vulnerability exists in InstaRISPACS software due to insufficient validation of user supplied input for the loginTo parameter in user login module of the web interface of the application. A remote attacker could exploit this vulnerability by sending a specially crafted input to the vulnerable parameter to perform reflected Cross Site Scripting (XSS) attacks on the targeted system. | ||||
| CVE-2025-2069 | 2026-04-15 | 5 Medium | ||
| A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user. | ||||
| CVE-2024-9116 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Monkee-Boy Essentials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-9207 | 2026-04-15 | 6.1 Medium | ||
| The BuddyPress Docs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-5881 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Webico Slider Flatsome Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wbc_image shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-32733 | 1 Sap | 1 Netweaver | 2026-04-15 | 6.1 Medium |
| Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify sensitive information with no impact on availability of the application | ||||
| CVE-2024-3951 | 2026-04-15 | 7.1 High | ||
| PTC Codebeamer is vulnerable to a cross site scripting vulnerability that could allow an attacker to inject and execute malicious code. | ||||
| CVE-2024-3952 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Ad widget in all versions up to, and including, 1.52.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-2295 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Contact Form Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [xyz-cfm-form] shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-2306 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Revslider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg upload in all versions up to, and including, 6.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure revslider can be extended to authors. | ||||
| CVE-2024-37247 | 2026-04-15 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in twinpictures, baden03 jQuery T(-) Countdown Widget allows Stored XSS.This issue affects jQuery T(-) Countdown Widget: from n/a through 2.3.25. | ||||
| CVE-2024-23189 | 2026-04-15 | 5.4 Medium | ||
| Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful social engineering attack to make users import external content. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Sanitization of user-generated content has been improved. No publicly available exploits are known. | ||||
| CVE-2024-23190 | 2026-04-15 | 5.4 Medium | ||
| Upsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved. No publicly available exploits are known. | ||||
| CVE-2024-23191 | 2026-04-15 | 5.4 Medium | ||
| Upsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved. No publicly available exploits are known. | ||||