Export limit exceeded: 46591 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46591 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0557 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-24981 | 2026-04-15 | 9.3 Critical | ||
| MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the `javascript:` protocol scheme in the URL. The parsing logic implement in `props.ts` maintains a deny-list approach to filtering potential malicious payload. It does so by matching protocol schemes like `javascript:` and others. These security guards can be bypassed by an adversarial that provides JavaScript URLs with HTML entities encoded via hex string. Users who consume this library and perform markdown parsing from unvalidated sources could result in rendering vulnerable XSS anchor links. This vulnerability has been addressed in version 0.13.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-5301 | 2026-04-15 | 6.1 Medium | ||
| ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server's HTML response. | ||||
| CVE-2025-46812 | 1 Basecamp | 1 Trix | 2026-04-15 | N/A |
| Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This issue has been patched in version 2.1.15. | ||||
| CVE-2025-1529 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-44449 | 2026-04-15 | 6.1 Medium | ||
| Cross Site Scripting vulnerability in Quorum onQ OS v.6.0.0.5.2064 allows a remote attacker to obtain sensitive information via the msg parameter in the Login page. | ||||
| CVE-2024-12457 | 2026-04-15 | 6.4 Medium | ||
| The Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vchat' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-52131 | 1 Xwiki | 1 Mocca Calendar | 2026-04-15 | 6.4 Medium |
| The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field. | ||||
| CVE-2024-4446 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pagingType’ parameter in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-10890 | 2026-04-15 | 6.1 Medium | ||
| The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-53528 | 1 Zmievsa | 1 Cadwyn | 2026-04-15 | 7.6 High |
| Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3. | ||||
| CVE-2023-7259 | 2026-04-15 | 2.4 Low | ||
| ** DISPUTED ** A vulnerability was found in zzdevelop lenosp up to 20230831. It has been classified as problematic. This affects an unknown part of the component Adduser Page. The manipulation of the argument username with the input <script>alert(1)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The associated identifier of this vulnerability is VDB-266127. NOTE: The vendor rejected the issue because he claims that XSS which require administrative privileges are not of any use for attackers. | ||||
| CVE-2024-12870 | 1 Infiniflow | 1 Ragflow | 2026-04-15 | N/A |
| A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' content type, which is automatically rendered by browsers. This can lead to the execution of arbitrary JavaScript in the context of the user's browser, potentially allowing attackers to steal cookies and gain unauthorized access to user files and resources. The vulnerability does not require authentication, making it accessible to anyone with network access to the instance. | ||||
| CVE-2022-26328 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText Performance Center on Windows allows Cross-Site Scripting (XSS).This issue affects Performance Center: 12.63. | ||||
| CVE-2025-60639 | 2026-04-15 | 6.5 Medium | ||
| Hardcoded credentials in gsigel14 ATLAS-EPIC commit f29312c (2025-05-26). | ||||
| CVE-2025-0930 | 2026-04-15 | 6.1 Medium | ||
| Reflected Cross-Site Scripting (XSS) in TeamCal Neo, version 3.8.2. This allows an attacker to execute malicious JavaScript code, after injecting code via the ‘abs’ parameter in ‘/teamcal/src/index.php’. | ||||
| CVE-2019-25323 | 1 Heatmiser | 1 Heatmiser Netmonitor | 2026-04-15 | 6.1 Medium |
| Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. Attackers can craft specially formatted POST requests to the outputtitle parameter to execute arbitrary HTML and potentially manipulate the web interface's displayed content. | ||||
| CVE-2025-48095 | 2 Ays-pro, Wordpress | 2 Survey Maker, Wordpress | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Survey Maker survey-maker allows Stored XSS.This issue affects Survey Maker: from n/a through <= 5.1.8.8. | ||||
| CVE-2025-25054 | 2026-04-15 | N/A | ||
| Movable Type contains a reflected cross-site scripting vulnerability in the user information edit page. When Multi-Factor authentication plugin is enabled and a user accesses a crafted page while logged in to the affected product, an arbitrary script may be executed on the web browser of the user. | ||||
| CVE-2022-25037 | 1 Wangeditor | 1 Wangeditor | 2026-04-15 | 5.4 Medium |
| An issue in wanEditor v4.7.11 and fixed in v.4.7.12 and v.5 was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function. | ||||