Export limit exceeded: 44667 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44667 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47977 | 1 Microsoft | 1 Nuance Digital Engagement Platform | 2026-02-20 | 8.2 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Nuance Digital Engagement Platform allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-64677 | 1 Microsoft | 2 Office Out-of-box Experience, Office Out Of-box Experience | 2026-02-20 | 8.2 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-64675 | 1 Microsoft | 2 Azure Cosmos Db, Cosmos Db | 2026-02-20 | 8.3 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-25516 | 1 Zauberzeug | 1 Nicegui | 2026-02-20 | 6.1 Medium |
| NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0. | ||||
| CVE-2026-27094 | 2 Godaddy, Wordpress | 2 Coblocks, Wordpress | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoDaddy CoBlocks coblocks allows Stored XSS.This issue affects CoBlocks: from n/a through <= 3.1.16. | ||||
| CVE-2026-27069 | 2 Pencidesign, Wordpress | 2 Soledad, Wordpress | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through <= 8.7.2. | ||||
| CVE-2026-24392 | 2 Nabil Lemsieh, Wordpress | 2 Hurrytimer, Wordpress | 2026-02-20 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2. | ||||
| CVE-2026-25432 | 2 Omnipressteam, Wordpress | 2 Omnipress, Wordpress | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in omnipressteam Omnipress omnipress allows Stored XSS.This issue affects Omnipress: from n/a through <= 1.6.7. | ||||
| CVE-2026-25463 | 2 Wordpress, Wpestate | 2 Wordpress, Wpresidence Core | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpEstate Wpresidence Core wpresidence-core allows Stored XSS.This issue affects Wpresidence Core: from n/a through <= 5.4.0. | ||||
| CVE-2025-14445 | 2 Le Van Toan, Wordpress | 2 Image Hotspot By Devvn, Wordpress | 2026-02-19 | 6.4 Medium |
| The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1373 | 2 Lawsonry, Wordpress | 2 Easy Author Image, Wordpress | 2026-02-19 | 6.4 Medium |
| The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_profile_picture_url' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13981 | 2 Artificial Intelligence Project, Drupal | 2 Artificial Intelligence, Ai | 2026-02-19 | 4.4 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. | ||||
| CVE-2026-0561 | 2 Paultgoodchild, Wordpress | 2 Shield: Blocks Bots, Protects Users, And Prevents Security Breaches, Wordpress | 2026-02-19 | 6.1 Medium |
| The Shield Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 21.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-14452 | 2 Bompus, Wordpress | 2 Wp Customer Reviews, Wordpress | 2026-02-19 | 7.2 High |
| The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-1044 | 2 Renoiriii, Wordpress | 2 Tennis Court Bookings, Wordpress | 2026-02-19 | 4.4 Medium |
| The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-0549 | 2 Itthinx, Wordpress | 2 Groups, Wordpress | 2026-02-19 | 6.4 Medium |
| The Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'groups_group_info' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-69749 | 2 Otale, Tale Project | 2 Tale Blog, Tale | 2026-02-19 | 6.1 Medium |
| Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. | ||||
| CVE-2025-14076 | 2 Icount, Wordpress | 2 Ixml – Google Xml Sitemap Generator, Wordpress | 2026-02-19 | 6.1 Medium |
| The iXML – Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-1043 | 2 Gagan0123, Wordpress | 2 Postmarkapp Email Integrator, Wordpress | 2026-02-19 | 4.4 Medium |
| The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address parameters. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page. | ||||
| CVE-2025-13738 | 2 Magazine3, Wordpress | 2 Easy Table Of Contents, Wordpress | 2026-02-19 | 6.4 Medium |
| The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||