Export limit exceeded: 44642 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44642 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-26370 | 2 Ays-pro, Wordpress | 2 Survey Maker, Wordpress | 2026-02-23 | N/A |
| WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser. | ||||
| CVE-2026-2486 | 2 Litonice13, Wordpress | 2 Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations, Wordpress | 2026-02-23 | 6.4 Medium |
| The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-24948 | 2 Fox-themes, Wordpress | 2 Reflector, Wordpress | 2026-02-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.This issue affects Reflector: from n/a through <= 1.2.2. | ||||
| CVE-2026-24955 | 2 Fox-themes, Wordpress | 2 Whizz Plugins, Wordpress | 2026-02-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Whizz Plugins whizz-plugins allows Reflected XSS.This issue affects Whizz Plugins: from n/a through <= 1.9. | ||||
| CVE-2026-27502 | 2 Radioinorr, Sa2blv | 2 Svxportal, Svxportal | 2026-02-23 | 6.1 Medium |
| SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser if the victim visits a crafted URL. This can be used to steal session data, perform actions as the victim, or modify displayed content. | ||||
| CVE-2026-27503 | 2 Radioinorr, Sa2blv | 2 Svxportal, Svxportal | 2026-02-23 | 6.1 Medium |
| SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing attacker-supplied JavaScript to execute in the administrator's browser. This can enable session theft, administrative action forgery, or other browser-based compromise in the context of an admin user. | ||||
| CVE-2026-27504 | 2 Radioinorr, Sa2blv | 2 Svxportal, Svxportal | 2026-02-23 | 6.1 Medium |
| SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile_front.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowing attacker-supplied script injection and execution in the administrator's browser. This can be used to compromise admin sessions or perform unauthorized actions via the administrator's authenticated context. | ||||
| CVE-2026-27505 | 2 Radioinorr, Sa2blv | 2 Svxportal, Svxportal | 2026-02-23 | 6.1 Medium |
| SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user registration workflow (index.php submitting to admin/user_action.php). User-supplied fields such as Firstname, lastname, and email are stored in the backend database without adequate output encoding and are later rendered in the administrator interface (admin/users.php), allowing an unauthenticated remote attacker to inject arbitrary JavaScript that executes in an administrator's browser upon viewing the affected page. | ||||
| CVE-2026-27506 | 2 Radioinorr, Sa2blv | 2 Svxportal, Svxportal | 2026-02-23 | 6.1 Medium |
| SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user profile update workflow (user_settings.php submitting to admin/update_user.php). Authenticated users can store malicious HTML/JavaScript in fields such as Firstname, lastname, email, and image_url, which are later rendered without adequate output encoding in the administrator interface (admin/users.php), resulting in JavaScript execution in an administrator's browser when the affected page is viewed. | ||||
| CVE-2025-67304 | 1 Commscope | 1 Ruckus Network Director | 2026-02-23 | 9.8 Critical |
| In Ruckus Network Director (RND) < 4.5.0.54, the OVA appliance contains hardcoded credentials for the ruckus PostgreSQL database user. In the default configuration, the PostgreSQL service is accessible over the network on TCP port 5432. An attacker can use the hardcoded credentials to authenticate remotely, gaining superuser access to the database. This allows creation of administrative users for the web interface, extraction of password hashes, and execution of arbitrary OS commands. | ||||
| CVE-2022-40011 | 1 Typora | 1 Typora | 2026-02-23 | 6.1 Medium |
| Typora through 1.3.8 allows XSS if a document containing an SVG element with an attacker-controlled onload attribute is exported and then used at a victim's origin. | ||||
| CVE-2021-41810 | 1 M-files | 1 Server | 2026-02-23 | 5.2 Medium |
| Script injection in M-Files Admin versions before 22.2.11051.0, allows executing stored script in admin tool. M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable | ||||
| CVE-2025-9826 | 1 M-files | 2 Hubshare, M-files | 2026-02-23 | 5.4 Medium |
| Stored cross-site scripting vulnerability in M-Files Hubshare before version 25.8 allows authenticated attackers to cause script execution for other users. | ||||
| CVE-2025-3087 | 1 M-files | 1 M-files Web | 2026-02-23 | 5.4 Medium |
| Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts | ||||
| CVE-2025-2159 | 2026-02-23 | N/A | ||
| Stored XSS in Desktop UI in M-Files Server Admin tool before version 25.3.14681.7 on Windows allows authenticated local user to run scripts via UI | ||||
| CVE-2024-9174 | 1 M-files | 1 Hubshare | 2026-02-23 | 5.4 Medium |
| Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI | ||||
| CVE-2024-6881 | 1 M-files | 1 Hubshare | 2026-02-23 | 5.4 Medium |
| Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session | ||||
| CVE-2024-6124 | 1 M-files | 1 Hubshare | 2026-02-23 | 5.4 Medium |
| Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session | ||||
| CVE-2024-5142 | 1 M-files | 1 Hubshare | 2026-02-23 | 5.4 Medium |
| Stored Cross-Site Scripting vulnerability in Social Module in M-Files Hubshare before version 5.0.6.0 allows authenticated attacker to run scripts in other users browser | ||||
| CVE-2026-2825 | 1 Rachelos | 1 Werss We-mp-rss | 2026-02-23 | 3.5 Low |
| A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||