Search Results (47133 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-15095 2026-04-15 3.5 Low
A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2025-64198 2 Appscreo, Wordpress 2 Easy Social Share Buttons, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through < 10.7.1.
CVE-2025-15505 1 Luxul 1 Xwr-600 2026-04-15 2.4 Low
A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond with a technical statement.
CVE-2025-22270 1 Cyberark 1 Endpoint Privilege Manager 2026-04-15 N/A
An attacker with access to the Administration panel, specifically the "Role Management" tab, can inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the required additional error that allows bypassing the Content-Security-Policy policy, which mitigates JS code execution while still allowing HTML injection. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
CVE-2024-6783 2026-04-15 4.8 Medium
A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as `Object.prototype.staticClass` or `Object.prototype.staticStyle` to execute arbitrary JavaScript code.
CVE-2025-4983 2026-04-15 8.7 High
A stored Cross-site Scripting (XSS) vulnerability affecting City Referential in City Referential Manager on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
CVE-2025-53692 1 Sitecore 2 Experience Manager, Experience Platform 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.
CVE-2024-13722 2026-04-15 5.4 Medium
The "NagVis" component within Checkmk is vulnerable to reflected cross-site scripting. An attacker can craft a malicious link that will execute arbitrary JavaScript in the context of the browser once clicked. The attack can be performed on both authenticated and unauthenticated users.
CVE-2025-4985 2026-04-15 8.7 High
A stored Cross-site Scripting (XSS) vulnerability affecting Risk Management in Project Portfolio Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
CVE-2025-11360 1 Jakowenko 1 Double-take 2026-04-15 4.3 Medium
A vulnerability was detected in jakowenko double-take up to 1.13.1. The impacted element is the function app.use of the file api/src/app.js of the component API. The manipulation of the argument X-Ingress-Path results in cross site scripting. The attack can be executed remotely. Upgrading to version 1.13.2 is sufficient to resolve this issue. The patch is identified as e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50. The affected component should be upgraded.
CVE-2024-51989 1 Apnotic Llc 1 Passwordpusher 2026-04-15 7.1 High
Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected. Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability. ### Solution Update to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process. If updating is not immediately possible,
CVE-2025-27793 2026-04-15 N/A
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter.
CVE-2024-4386 2026-04-15 6.4 Medium
The Gallery Block (Meow Gallery) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data_atts’ parameter in versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-10761 1 Harness 1 Harness 2026-04-15 3.7 Low
A vulnerability has been found in Harness 3.3.0. Affected is an unknown function of the file /api/v1/login of the component Login Endpoint. The manipulation leads to improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-41089 1 Xibosignage 1 Xibo 2026-04-15 N/A
Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field, such as the 'Clock' widget. Next, modify the 'Configuration Name' field in the left-hand section.
CVE-2024-5205 1 Naa986 1 Videojs Html5 Player 2026-04-15 6.4 Medium
The Videojs HTML5 Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videojs_video shortcode in all versions up to, and including, 1.1.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-6447 1 Wordpress 1 Wordpress 2026-04-15 7.2 High
The FULL – Cliente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the license plan parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping as well as missing authorization and capability checks on the related functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrative user accesses wp-admin dashboard
CVE-2025-49486 2026-04-15 N/A
A stored XSS vulnerability in the Balbooa Gallery plugin 1.0.0-2.4.0 for Joomla allows privileged users to store malicious scripts in gallery items.
CVE-2025-26127 1 Filecloud 1 Filecloud 2026-04-15 5 Medium
A stored cross-site scripting (XSS) vulnerability in the Send for Approval function of FileCloud v23.241.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2025-41085 1 Apidog 1 Apidog Web Platform 2026-04-15 N/A
Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and executed in the context of any user accessing the compromised resource.