Export limit exceeded: 351381 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 46001 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46001 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5005 | 1 Codesmade | 1 Autocomplete Location Field Contact Form 7 | 2025-05-07 | 4.8 Medium |
| The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-49489 | 1 Kodcloud | 1 Kodexplorer | 2025-05-07 | 6.1 Medium |
| Reflective Cross Site Scripting (XSS) vulnerability in KodExplorer version 4.51, allows attackers to obtain sensitive information and escalate privileges via the APP_HOST parameter at config/i18n/en/main.php. | ||||
| CVE-2023-46344 | 2 Solar-log, Solar Log | 3 2000 Pm\+, 2000 Pm\+ Firmware, Base 15 Firmware | 2025-05-07 | 5.4 Medium |
| A vulnerability in Solar-Log Base 15 Firmware 6.0.1 Build 161, and possibly other Solar-Log Base products, allows an attacker to escalate their privileges by exploiting a stored cross-site scripting (XSS) vulnerability in the switch group function under /#ilang=DE&b=c_smartenergy_swgroups in the web portal. The vulnerability can be exploited to gain the rights of an installer or PM, which can then be used to gain administrative access to the web portal and execute further attacks. NOTE: The vendor states that this vulnerability has been fixed with 3.0.0-60 11.10.2013 for SL 200, 500, 1000 / not existing for SL 250, 300, 1200, 2000, SL 50 Gateway, SL Base. | ||||
| CVE-2022-38162 | 1 Withsecure | 1 F-secure Policy Manager | 2025-05-07 | 6.1 Medium |
| Reflected cross-site scripting (XSS) vulnerabilities in WithSecure through 2022-08-10) exists within the F-Secure Policy Manager due to an unvalidated parameter in the endpoint, which allows remote attackers to provide a malicious input. | ||||
| CVE-2022-35739 | 1 Paessler | 1 Prtg Network Monitor | 2025-05-07 | 5.3 Medium |
| PRTG Network Monitor through 22.2.77.2204 does not prevent custom input for a device’s icon, which can be modified to insert arbitrary content into the style tag for that device. When the device page loads, the arbitrary Cascading Style Sheets (CSS) data is inserted into the style tag, loading malicious content. Due to PRTG Network Monitor preventing “characters, and from modern browsers disabling JavaScript support in style tags, this vulnerability could not be escalated into a Cross-Site Scripting vulnerability. | ||||
| CVE-2024-53255 | 1 Boidcms | 1 Boidcms | 2025-05-07 | 5.4 Medium |
| BoidCMS is a free and open-source flat file CMS for building simple websites and blogs, developed using PHP and uses JSON as a database. In affected versions a reflected Cross-site Scripting (XSS) vulnerability exists in the /admin?page=media endpoint in the file parameter, allowing an attacker to inject arbitrary JavaScript code. This code could be used to steal the user's session cookie, perform phishing attacks, or deface the website. This issue has been addressed in version 2.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-48452 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2025-05-07 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.18 and earlier are affected by a Cross-site Scripting (DOM-based XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. | ||||
| CVE-2023-48538 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2025-05-07 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | ||||
| CVE-2022-36783 | 1 Algosec | 1 Fireflow | 2025-05-07 | 6.5 Medium |
| AlgoSec – FireFlow Reflected Cross-Site-Scripting (RXSS) A malicious user injects JavaScript code into a parameter called IntersectudRule on the search/result.html page. The malicious user changes the request from POST to GET and sends the URL to another user (victim). JavaScript code is executed on the browser of the other user. | ||||
| CVE-2024-13381 | 1 Codepeople | 1 Calculated Fields Form | 2025-05-07 | 3.5 Low |
| The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-0709 | 1 Dcatadmin | 1 Dcat Admin | 2025-05-07 | 2.4 Low |
| A vulnerability was found in Dcat-Admin 2.2.1-beta. It has been rated as problematic. This issue affects some unknown processing of the file /admin/auth/roles of the component Roles Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-1749 | 1 Opencart | 1 Opencart | 2025-05-07 | 4.7 Medium |
| HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher. | ||||
| CVE-2025-1748 | 1 Opencart | 1 Opencart | 2025-05-07 | 4.7 Medium |
| HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register. | ||||
| CVE-2025-1747 | 1 Opencart | 1 Opencart | 2025-05-07 | 4.7 Medium |
| HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login. | ||||
| CVE-2025-1746 | 1 Opencart | 1 Opencart | 2025-05-07 | 6.1 Medium |
| Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | ||||
| CVE-2024-13569 | 1 Etoilewebdesign | 1 Front End Users | 2025-05-07 | 7.1 High |
| The Front End Users WordPress plugin through 3.2.32 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2024-13326 | 1 Ibuildapp | 1 Ibuildapp | 2025-05-07 | 6.1 Medium |
| The iBuildApp WordPress plugin through 0.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-45751 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-05-07 | 5.4 Medium |
| SourceCodester Web Based Pharmacy Product Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in add-admin.php via the Fullname text field. | ||||
| CVE-2022-32407 | 1 Softr | 1 Softr | 2025-05-07 | 6.1 Medium |
| Softr v2.0 was discovered to contain a Cross-Site Scripting (XSS) vulnerability via the First Name parameter under the Create A New Account module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2024-13098 | 1 Megamindstechnologies | 1 Wordpress Email Newsletter | 2025-05-07 | 5.4 Medium |
| The WordPress Email Newsletter WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||