Export limit exceeded: 362577 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 47032 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47032 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-25372 | 1 Opnsense | 1 Opnsense | 2026-03-05 | 6.1 Medium |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arbitrary JavaScript in the context of a user's browser session. | ||||
| CVE-2019-25371 | 1 Opnsense | 1 Opnsense | 2026-03-05 | 6.1 Medium |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted POST requests to the diag_ping.php endpoint with script payloads in the host parameter to execute arbitrary JavaScript in users' browsers. | ||||
| CVE-2019-25370 | 1 Opnsense | 1 Opnsense | 2026-03-05 | 6.1 Medium |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. Attackers can send POST requests to interfaces_vlan_edit.php with script payloads in the tag, descr, or vlanif parameters to execute arbitrary JavaScript in users' browsers. | ||||
| CVE-2019-25369 | 1 Opnsense | 1 Opnsense | 2026-03-05 | 6.4 Medium |
| OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. Attackers can submit POST requests with script payloads that are stored and executed in the context of authenticated user sessions when the page is viewed. | ||||
| CVE-2019-25368 | 1 Opnsense | 1 Opnsense | 2026-03-05 | 5.4 Medium |
| OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions. | ||||
| CVE-2019-25317 | 2 Kevinpapst, Kimai | 2 Kimai, Kimai | 2026-03-05 | 6.4 Medium |
| Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users. | ||||
| CVE-2019-25312 | 1 Inoideas | 1 Inoerp | 2026-03-05 | 5.4 Medium |
| InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session information. | ||||
| CVE-2019-25277 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2026-03-05 | 6.1 Medium |
| FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks. | ||||
| CVE-2025-15599 | 1 Cure53 | 1 Dompurify | 2026-03-05 | 6.1 Medium |
| DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched. | ||||
| CVE-2025-14923 | 1 Ibm | 2 Websphere Application Server, Websphere Application Server Liberty | 2026-03-04 | 4.7 Medium |
| IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.2 IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings. | ||||
| CVE-2024-55027 | 1 Weintek | 4 Cmt-3072xh2, Cmt-3072xh2 Firmware, Cmt3072xh and 1 more | 2026-03-04 | 7.5 High |
| Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db. | ||||
| CVE-2022-50696 | 3 Linux, Microsoft, Sound4 | 23 Linux, Windows, Big Voice2 and 20 more | 2026-03-04 | 9.8 Critical |
| SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these static credentials to gain unauthorized access to the device across Linux and Windows distributions without requiring user interaction. | ||||
| CVE-2025-44141 | 1 Backdropcms | 1 Backdrop Cms | 2026-03-04 | 6.1 Medium |
| A Cross-Site Scripting (XSS) vulnerability exists in the node creation form of Backdrop CMS 1.30. | ||||
| CVE-2025-52482 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 8.3 High |
| Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30. | ||||
| CVE-2025-50186 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 4.8 Medium |
| Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file (e.g., <img src=q onerror=prompt(8)>.csv) that leads to JavaScript execution when viewed by administrators or users with access to import logs or file views. This issue has been patched in version 1.11.30. | ||||
| CVE-2023-4549 | 1 Wpdo | 1 Dologin Security | 2026-03-03 | 6.1 Medium |
| The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form. | ||||
| CVE-2023-24001 | 1 Ylefebvre | 1 Modal Dialog | 2026-03-03 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Yannick Lefebvre Modal Dialog plugin <= 3.5.9 versions. | ||||
| CVE-2025-52468 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 8.8 High |
| Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows attackers to inject a stored cross-site scripting (XSS) payload that is triggered when the user profile is viewed, potentially leading to malicious script execution in the context of the authenticated use. This issue has been patched in version 1.11.30. | ||||
| CVE-2025-52470 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 4.8 Medium |
| Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent JavaScript payloads. The injected script is later executed when accessing add_many_sessions_to_category.php, potentially compromising administrative sessions. This issue has been patched in version 1.11.30. | ||||
| CVE-2025-52475 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 6.1 Medium |
| Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This issue has been patched in version 1.11.30. | ||||