Search Results (47149 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-27961 2026-04-15 6.5 Medium
evesys 7.1 (2152) through 8.0 (2202) allows Reflected XSS via the indexeva.php action parameter.
CVE-2018-25157 1 Phraseanet 1 Phraseanet Dam Open Source 2026-04-15 6.4 Medium
Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or redirecting users when the file is viewed.
CVE-2025-54476 1 Joomla 2 Joomla, Joomla! 2026-04-15 N/A
Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.
CVE-2025-13802 1 Restaurantwebsite Project 1 Restaurantwebsite 2026-04-15 4.3 Medium
A vulnerability was determined in jairiidriss RestaurantWebsite up to e7911f12d035e8e2f9a75e7a28b59e4ef5c1d654. Impacted is an unknown function of the component Make a Reservation. This manipulation of the argument selected_date causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2020-36954 1 Xeroneit 1 Library Management System 2026-04-15 6.4 Medium
Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded.
CVE-2024-12995 1 Ruifang-tech 1 Rebuild 2026-04-15 3.5 Low
A vulnerability classified as problematic has been found in ruifang-tech Rebuild 3.8.6. This affects an unknown part of the file /project/050-9000000000000001/tasks of the component Project Tasks Section. The manipulation of the argument description leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2020-36955 1 Getgrav 4 Grav, Grav-plugin-admin, Grav Admin and 1 more 2026-04-15 6.4 Medium
Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page is viewed in the admin panel or on the site.
CVE-2020-36956 1 Igniterealtime 1 Openfire 2026-04-15 6.4 Medium
Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page.
CVE-2020-36996 1 Php-fusion 1 Phpfusion 2026-04-15 6.4 Medium
PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers.
CVE-2020-37014 1 Tryton 2 Tryton, Trytond 2026-04-15 6.4 Medium
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.
CVE-2020-37003 2 Sellacious, Totalshopuk 2 Ecommerce, Ecommerce 2026-04-15 6.4 Medium
Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules.
CVE-2017-20214 1 Flir 1 Thermal Camera 2026-04-15 7.5 High
FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system.
CVE-2020-37018 1 Goautodial 2 Goautodial, Goautodial Api 2026-04-15 6.4 Medium
GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedded JavaScript that will execute when an administrator reads the message, potentially stealing session cookies or executing client-side attacks.
CVE-2025-1393 2026-04-15 9.8 Critical
An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product.
CVE-2025-34501 1 Shuffle Master 1 Deck Mate 2 2026-04-15 N/A
Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds.
CVE-2024-12422 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Import Eventbrite Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2024-5156 2026-04-15 6.4 Medium
The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-40976 1 Workdo 1 Ticketgo 2026-04-15 N/A
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/ticketgo-saas/home’, using the ‘description’ parameter.
CVE-2024-49378 1 Zimocode 1 Smartup 2026-04-15 6.1 Medium
smartUp, a web browser mouse gestures extension, has a universal cross-site scripting issue in the Edge and Firefox versions of smartUp 7.2.622.1170. The vulnerability allows another extension to execute arbitrary code in the context of the user’s tab. As of time of publication, no known patches exist.
CVE-2024-8722 2026-04-15 5.5 Medium
The Import any XML or CSV File to WordPress PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.