Export limit exceeded: 47132 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47132 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-42852 | 1 Microfocus | 1 Acutoweb | 2026-04-15 | 6.1 Medium |
| Cross Site Scripting vulnerability in AcuToWeb server v.10.5.0.7577C8b allows a remote attacker to execute arbitrary code via the index.php component. | ||||
| CVE-2024-30214 | 2026-04-15 | 4.8 Medium | ||
| The application allows a high privilege attacker to append a malicious GET query parameter to Service invocations, which are reflected in the server response. Under certain circumstances, if the parameter contains a JavaScript, the script could be processed on client side. | ||||
| CVE-2025-69056 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS.This issue affects Hotel Listing: from n/a through <= 1.4.0. | ||||
| CVE-2025-69054 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Logos Showcase superlogoshowcase-wp allows Reflected XSS.This issue affects Super Logos Showcase: from n/a through <= 2.8. | ||||
| CVE-2025-69053 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS.This issue affects Universal Video Player: from n/a through <= 3.8.4. | ||||
| CVE-2025-69051 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Reflected XSS.This issue affects ListingPro Reviews: from n/a through < 2.9.11. | ||||
| CVE-2025-62796 | 1 Privatebin | 1 Privatebin | 2026-04-15 | 5.8 Medium |
| PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename (attachment_name) when attachments are enabled. An attacker can modify attachment_name before encryption so that, after decryption, arbitrary HTML is inserted unescaped into the page near the file size hint, enabling redirect (e.g., meta refresh) and site defacement and related phishing attacks. Script execution is normally blocked by the recommended Content Security Policy, limiting confidentiality impact. The issue was introduced in 1.7.7 and fixed in 2.0.2. Update to 2.0.2 or later. Workarounds include enforcing the recommended CSP, deploying PrivateBin on a separate domain, or disabling attachments. | ||||
| CVE-2025-69033 | 2 Awplife, Wordpress | 2 Blog Filter, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.3. | ||||
| CVE-2024-3031 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.4 Medium |
| The Fluid Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-4190 | 2026-04-15 | 8.1 High | ||
| Stored Cross-Site Scripting (XSS) vulnerabilities have been identified in OpenText ArcSight Logger. The vulnerabilities could be remotely exploited. | ||||
| CVE-2025-53480 | 2026-04-15 | 5.4 Medium | ||
| The CheckUser extension’s Special:Investigate page has a vulnerability in the Account information tab, where specific internationalized messages are rendered without proper escaping. Attackers can exploit this by appending ?uselang=x-xss to the URL, causing reflected XSS when the UI renders affected message keys. This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2024-4356 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The List categories plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'categories' shortcode in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11411 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Spotlightr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotlightr-v' shortcode in all versions up to, and including, 0.1.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11410 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Top and footer bars for announcements, notifications, advertisements, promotions – YooBar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Yoo Bar settings in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-3811 | 2026-04-15 | 6.4 Medium | ||
| The Salient Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'icon' shortcode in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11426 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The AutoListicle: Automatically Update Numbered List Articles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-list-number' shortcode in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-34699 | 2026-04-15 | 6.5 Medium | ||
| GZ::CTF is a capture the flag platform. Prior to 0.20.1, unprivileged user can perform cross-site scripting attacks on other users by constructing malicious team names. This problem has been fixed in `v0.20.1`. | ||||
| CVE-2024-11442 | 2026-04-15 | 6.4 Medium | ||
| The Horizontal scroll image slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'horizontal-scroll-image-slideshow' shortcode in all versions up to, and including, 10.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11450 | 2026-04-15 | 6.4 Medium | ||
| The ONLYOFFICE Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'onlyoffice' shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11451 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Zooom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zooom' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||