Export limit exceeded: 363351 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 47132 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47132 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-20191 2026-04-15 3.5 Low
A vulnerability was found in Zimbra zm-admin-ajax up to 8.8.1. It has been classified as problematic. This affects the function XFormItem.prototype.setError of the file WebRoot/js/ajax/dwt/xforms/XFormItem.js of the component Form Textbox Field Error Handler. The manipulation of the argument message leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 8.8.2 is able to address this issue. The identifier of the patch is bb240ce0c71c01caabaa43eed30c78ba8d7d3591. It is recommended to upgrade the affected component. The identifier VDB-258621 was assigned to this vulnerability.
CVE-2025-3866 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the google-plus-one-share-button page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2021-47920 1 Webmo 1 Job Manager 2026-04-15 5.4 Medium
WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. Attackers can exploit the filterSearch and filterSearchType parameters to perform non-persistent attacks including session hijacking and external redirects.
CVE-2024-4734 1 Codection 1 Import And Export Users And Customers 2026-04-15 4.4 Medium
The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2021-47908 1 Thewebfosters 1 Ultimate Pos 2026-04-15 6.4 Medium
Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions.
CVE-2021-47897 1 Peel 1 Peel Shopping 2026-04-15 7.2 High
PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution.
CVE-2024-57514 2026-04-15 4.8 Medium
The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting (XSS) due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL. This allows the attacker to inject malicious code into the page, executing JavaScript on the victim's browser, which could then be used for further malicious actions. The vulnerability was identified in the 1.0.6 Build 20231011 rel.85717(5553) version.
CVE-2024-57279 2026-04-15 5.4 Medium
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the LDAP User Manager <= ce92321, specifically in the /setup/index.php endpoint via the returnto parameter. This vulnerability arises due to improper sanitization of user-supplied input, allowing an attacker to inject malicious JavaScript.
CVE-2021-47892 1 Peel 1 Peel Shopping 2026-04-15 7.2 High
PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution.
CVE-2024-46073 2026-04-15 6.1 Medium
A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this flaw by tricking a user into visiting a specially crafted URL, causing the execution of arbitrary JavaScript code in the context of the victim's browser. The issue occurs even though the application has sanitization mechanisms in place.
CVE-2024-48662 2026-04-15 6.1 Medium
Cross Site Scripting vulnerability in AdGuard Application v.7.18.1 (4778) and before allows an attacker to execute arbitrary code via a crafted payload to the fontMatrix component.
CVE-2024-12223 1 Nutanix 1 Prism Central 2026-04-15 N/A
Prism Central versions prior to 2024.3.1 are vulnerable to a stored cross-site scripting attack via the Events component, allowing an attacker to hijack a victim user’s session and perform actions in their security context.
CVE-2024-12593 2026-04-15 6.4 Medium
The PDF for WPForms + Drag and Drop Template Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yeepdf_dotab shortcode in all versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-13334 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Car Demon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_condition' parameter in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2024-13351 2026-04-15 7.2 High
The Social proof testimonials and reviews by Repuso plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rw_image_badge1' shortcode in all versions up to, and including, 5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-13394 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The ViewMedica 9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewmedica' shortcode in all versions up to, and including, 1.4.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-64365 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in colabrio Ohio Extra ohio-extra allows DOM-Based XSS.This issue affects Ohio Extra: from n/a through <= 3.6.0.
CVE-2025-57424 1 Hbi 1 Mycourts 2026-04-15 7.3 High
A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which executes in the browser of any user viewing it, including administrators. Due to the absence of the HttpOnly flag on the session cookie, this flaw could be exploited to capture session tokens and hijack user sessions, enabling elevated access.
CVE-2025-68887 2 Cmsjunkie, Wordpress 2 J-businessdirectory, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS.This issue affects WP-BusinessDirectory: from n/a through <= 4.0.1.
CVE-2024-57278 2026-04-15 5.4 Medium
A reflected Cross-Site Scripting (XSS) vulnerability exists in /webscan/sqlmap/index.html in QingScan <=v1.8.0. The vulnerability is caused by improper input sanitization of the query parameter, allowing an attacker to inject malicious JavaScript payloads. When a victim accesses a crafted URL containing the malicious input, the script executes in the victim's browser context.