Export limit exceeded: 47209 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47209 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11412 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Shine PDF Embeder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shinepdf' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11414 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The RecipePress Reloaded plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Recipe Ingredients in all versions up to, and including, 2.12.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-48971 | 1 Baxter | 1 Life2000 Ventilator Firmware | 2026-04-15 | 9.3 Critical |
| The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. This could allow an attacker to obtain the password off the ventilator and use it to gain unauthorized access to the device, with clinician privileges. | ||||
| CVE-2024-49751 | 2026-04-15 | N/A | ||
| Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe HTML code would only affect themselves and would not affect other users. Commit 5d118a902872d7941f099ad1fb918e2421e79ccd patches this bug. | ||||
| CVE-2024-11428 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Lazy load videos and sticky control plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lazy-load-videos-and-sticky-control' shortcode in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5083 | 1 Sonatype | 1 Nexus Repository Manager | 2026-04-15 | N/A |
| A stored Cross-site Scripting vulnerability has been discovered in Sonatype Nexus Repository 2 This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1. | ||||
| CVE-2024-51053 | 1 Avscms | 1 Avscms | 2026-04-15 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component /main/fileupload.php of AVSCMS v8.2.0 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-51026 | 1 Netadmin | 1 Netadmin | 2026-04-15 | 5.4 Medium |
| The NetAdmin IAM system (version 4.0.30319) has a Cross Site Scripting (XSS) vulnerability in the /BalloonSave.ashx endpoint, where it is possible to inject a malicious payload into the Content= field. | ||||
| CVE-2024-51122 | 2026-04-15 | 6.1 Medium | ||
| Cross Site Scripting vulnerability in Zertificon Z1 SecureMail Z1 CertServer v.3.16.4-2516-debian12 alllows a remote attacker to execute arbitrary code via the ST, L, O, OU, CN parameters. | ||||
| CVE-2024-51135 | 1 Powertac-server | 1 Powertac-server | 2026-04-15 | 9.8 Critical |
| An XML External Entity (XXE) vulnerability in the component DocumentBuilderFactory of powertac-server v1.9.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities. | ||||
| CVE-2024-11447 | 2026-04-15 | 6.1 Medium | ||
| The Community by PeepSo – Download from PeepSo.com plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filter’ parameter in all versions up to, and including, 7.0.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-5312 | 2026-04-15 | 6.3 Medium | ||
| PHP Server Monitor, version 3.2.0, is vulnerable to an XSS via the /phpservermon-3.2.0/vendor/phpmailer/phpmailer/test_script/index.php page in all visible parameters. An attacker could create a specially crafted URL, send it to a victim and retrieve their session details. | ||||
| CVE-2024-11456 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Run Contests, Raffles, and Giveaways with ContestsWP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-11462 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Filestack Official plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'fstab' and 'filestack_options' parameters in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-5424 | 2026-04-15 | 6.4 Medium | ||
| The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘galleryID’ and 'className' parameters in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2020-36853 | 2 10web, Wordpress | 2 Map Builder For Google Maps, Wordpress | 2026-04-15 | 7.2 High |
| The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9267 | 2026-04-15 | 6.1 Medium | ||
| The Easy WordPress Subscribe – Optin Hound plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-9269 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Relogo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2020-36978 | 1 Froxlor | 1 Froxlor | 2026-04-15 | 6.4 Medium |
| Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer traffic modules. | ||||
| CVE-2018-25101 | 2026-04-15 | 3.5 Low | ||
| A vulnerability, which was classified as problematic, has been found in l2c2technologies Koha up to 20180108. This issue affects some unknown processing of the file /cgi-bin/koha/opac-MARCdetail.pl. The manipulation of the argument biblionumber with the input 2"><TEST> leads to cross site scripting. The attack may be initiated remotely. The identifier of the patch is 950fc8e101886821879066b33e389a47fb0a9782. It is recommended to upgrade the affected component. The identifier VDB-261677 was assigned to this vulnerability. | ||||