Search Results (47148 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-12251 1 Openwga 1 Openwga 2026-04-15 3.5 Low
A vulnerability has been found in OpenWGA 7.11.12 Build 737. This impacts an unknown function of the component Admin UI. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-12264 1 Wisencode 1 Wisencode 2026-04-15 3.5 Low
A security flaw has been discovered in Wisencode up to 20251012. Affected by this vulnerability is an unknown functionality of the file /support-ticket/create of the component Create Support Ticket Handler. The manipulation of the argument Message results in cross site scripting. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-9158 1 Bestpractical 1 Request Tracker 2026-04-15 N/A
The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user. This vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1.
CVE-2024-53484 1 Ever 1 Traduora 2026-04-15 8.8 High
Ever Traduora 0.20.0 and below is vulnerable to Privilege Escalation due to the use of a hard-coded JWT signing key.
CVE-2025-6595 1 Wikimedia 1 Multimediaviewer 2026-04-15 4.7 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer.This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.
CVE-2025-26159 2026-04-15 6.1 Medium
Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting (XSS) in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field.
CVE-2025-23026 2026-04-15 6.1 Medium
jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks) are subject to XSS. The `javaScriptBlock` and `javaScriptAttribute` methods in the `Escape` class do not escape backticks, which are used for Javascript template strings. Dollar signs in template strings should also be escaped as well to prevent undesired interpolation. HTML templates rendered by Jte's `OwaspHtmlTemplateOutput` in versions less than or equal to `3.1.15` with `script` tags or script attributes that contain Javascript template strings (backticks) are vulnerable. Users are advised to upgrade to version 3.1.16 or later to resolve this issue. There are no known workarounds for this vulnerability.
CVE-2025-1983 2026-04-15 N/A
A cross-site scripting (XSS) vulnerability in Ready_'s File Explorer upload functionality allows injection of arbitrary JavaScript code in filename. Injected content is stored on server and is executed every time a user interacts with the uploaded file.
CVE-2024-11885 2026-04-15 6.4 Medium
The NinjaTeam Chat for Telegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'njtele_button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-53569 2026-04-15 5.4 Medium
A stored cross-site scripting (XSS) vulnerability in the New Goal Creation section of Volmarg Personal Management System v1.4.65 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the description parameter.
CVE-2024-4984 2 Wordpress, Yoast 2 Wordpress, Yoast Seo 2026-04-15 6.4 Medium
The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-11570 2026-04-15 4.6 Medium
Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filtering of data. **Note:** This is exploitable only if the code is executed outside of Drupal; the function is intended to be shared between Drupal and Pattern Lab. The package drupal-pattern-lab/unified-twig-extensions is unmaintained, the fix for this issue exists in version 1.1.1 of [drupal/unified_twig_ext](https://www.drupal.org/project/unified_twig_ext)
CVE-2021-47920 1 Webmo 1 Job Manager 2026-04-15 5.4 Medium
WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. Attackers can exploit the filterSearch and filterSearchType parameters to perform non-persistent attacks including session hijacking and external redirects.
CVE-2024-48662 2026-04-15 6.1 Medium
Cross Site Scripting vulnerability in AdGuard Application v.7.18.1 (4778) and before allows an attacker to execute arbitrary code via a crafted payload to the fontMatrix component.
CVE-2025-54872 1 Onion-site-template Project 1 Onion-site-template 2026-04-15 N/A
onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd.
CVE-2025-62967 2 Designinvento, Wordpress 2 Directorypress, Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Designinvento DirectoryPress directorypress allows DOM-Based XSS.This issue affects DirectoryPress: from n/a through <= 3.6.25.
CVE-2025-62968 2 Sayandatta, Wordpress 2 Wp Last Modified Info, Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Stored XSS.This issue affects WP Last Modified Info: from n/a through <= 1.9.2.
CVE-2025-62971 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrestaProject Attesa Extra attesa-extra allows Stored XSS.This issue affects Attesa Extra: from n/a through <= 1.4.7.
CVE-2025-62974 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoSchedule Headline Analyzer headline-analyzer allows Stored XSS.This issue affects Headline Analyzer: from n/a through <= 1.3.7.
CVE-2024-4462 1 Wordpress 1 Wordpress 2026-04-15 4.4 Medium
The Nafeza Prayer Time plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.