Export limit exceeded: 47126 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47126 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1446 | 1 Esri | 1 Arcgis Pro | 2026-04-18 | 5 Medium |
| There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1. | ||||
| CVE-2026-24490 | 2 Mobsf, Opensecurity | 2 Mobile Security Framework, Mobile Security Framework | 2026-04-18 | 8.1 High |
| MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue. | ||||
| CVE-2026-24771 | 1 Hono | 1 Hono | 2026-04-18 | 4.7 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue. | ||||
| CVE-2026-24833 | 1 Dnnsoftware | 2 Dnn Platform, Dotnetnuke | 2026-04-18 | 7.7 High |
| DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | ||||
| CVE-2026-1520 | 1 Rethinkdb | 1 Rethinkdb | 2026-04-18 | 2.4 Low |
| A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-0749 | 2 Drupal, Silence | 2 Drupal, Form Builder | 2026-04-18 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22. | ||||
| CVE-2026-25154 | 1 Localsend | 1 Localsend | 2026-04-18 | 6.1 Medium |
| LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch. | ||||
| CVE-2026-25156 | 1 Hotcrp | 1 Hotcrp | 2026-04-18 | 7.3 High |
| HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`. | ||||
| CVE-2026-25202 | 2 Samsung, Samsung Electronics | 2 Magicinfo 9 Server, Magicinfo 9 Server | 2026-04-18 | 9.8 Critical |
| The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1. | ||||
| CVE-2026-20711 | 1 Cybozu | 2 Cybozu Garoon, Garoon | 2026-04-18 | 6.1 Medium |
| Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords. | ||||
| CVE-2026-23794 | 1 Apache | 1 Syncope | 2026-04-18 | 6.8 Medium |
| Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. | ||||
| CVE-2026-24674 | 2 Gunet, Openeclass | 2 Open Eclass Platform, Openeclass | 2026-04-18 | 4.7 Medium |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2. | ||||
| CVE-2026-24665 | 2 Gunet, Openeclass | 2 Open Eclass Platform, Openeclass | 2026-04-18 | 8.7 High |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2. | ||||
| CVE-2026-25486 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-04-18 | 4.8 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2. | ||||
| CVE-2026-25489 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-04-18 | 4.8 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | ||||
| CVE-2026-25490 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-04-18 | 4.8 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | ||||
| CVE-2026-20985 | 1 Samsung | 2 Members, Samsung Members | 2026-04-18 | 4.3 Medium |
| Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability. | ||||
| CVE-2026-22875 | 2 Six Apart, Six Apart Ltd | 2 Movable Type, Movable Type | 2026-04-18 | N/A |
| Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | ||||
| CVE-2026-20111 | 1 Cisco | 1 Prime Infrastructure | 2026-04-18 | 4.8 Medium |
| A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | ||||
| CVE-2026-0947 | 2 Bordeaux-metropole, Drupal | 2 At Internet Piano Analytics, At Internet Piano Analytics | 2026-04-18 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1. | ||||