Export limit exceeded: 364448 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 47226 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47226 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-47920 1 Webmo 1 Job Manager 2026-04-15 5.4 Medium
WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. Attackers can exploit the filterSearch and filterSearchType parameters to perform non-persistent attacks including session hijacking and external redirects.
CVE-2020-9322 1 Statamic 1 Statamic 2026-04-15 8.8 High
The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO.
CVE-2024-23511 2 Posimyth, Wordpress 2 The Plus Addons For Elementor Page Builder Lite, Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.3.3.
CVE-2024-34582 1 Sunhillo 1 Sureline 2026-04-15 6.1 Medium
Sunhillo SureLine through 8.10.0 on RICI 5000 devices allows cgi/usrPasswd.cgi userid_change XSS within the Forgot Password feature.
CVE-2025-1983 2026-04-15 N/A
A cross-site scripting (XSS) vulnerability in Ready_'s File Explorer upload functionality allows injection of arbitrary JavaScript code in filename. Injected content is stored on server and is executed every time a user interacts with the uploaded file.
CVE-2025-23026 2026-04-15 6.1 Medium
jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks) are subject to XSS. The `javaScriptBlock` and `javaScriptAttribute` methods in the `Escape` class do not escape backticks, which are used for Javascript template strings. Dollar signs in template strings should also be escaped as well to prevent undesired interpolation. HTML templates rendered by Jte's `OwaspHtmlTemplateOutput` in versions less than or equal to `3.1.15` with `script` tags or script attributes that contain Javascript template strings (backticks) are vulnerable. Users are advised to upgrade to version 3.1.16 or later to resolve this issue. There are no known workarounds for this vulnerability.
CVE-2025-26159 2026-04-15 6.1 Medium
Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting (XSS) in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field.
CVE-2025-29526 2026-04-15 6.1 Medium
A Cross-Site Scripting (XSS) vulnerability in the search function of Q4 Inc Investor Relations Platform v5.147.1.2 allows attackers to execute arbitrary Javascript via injecting a crafted payload into the SearchTerm parameter.
CVE-2025-58746 2026-04-15 9.1 Critical
The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and perform arbitrary administrative actions. This is possible because the plugin allows arbitrary JavaScript code injection in the [Layout] → [Link] → [URL] field. Version 2.4.0 contains a fix for the issue.
CVE-2024-28146 2026-04-15 8.4 High
The application uses several hard-coded credentials to encrypt config files during backup, to decrypt the new firmware during an update and some passwords allow a direct connection to the database server of the affected device.
CVE-2024-13156 2026-04-15 6.4 Medium
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘heading’ parameter in all versions up to, and including, 2.5.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2834 2026-04-15 8.7 High
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Management Center and ArcSight Platform. The vulnerability could be remotely exploited.
CVE-2024-30547 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3.
CVE-2025-59902 1 Nice 1 Nice Chat 2026-04-15 N/A
HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft.
CVE-2025-69334 2 Wordpress, Wpfactory 2 Wordpress, Wishlist For Woocommerce 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce wish-list-for-woocommerce allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 3.3.0.
CVE-2024-36494 2026-04-15 4.7 Medium
Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The login page at /cgi/slogin.cgi suffers from XSS due to improper input filtering of the -tsetup+-uuser parameter, which can only be exploited if the target user is not already logged in. This makes it ideal for login form phishing attempts.
CVE-2024-36498 2026-04-15 4.7 Medium
Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function which is available at the URL https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. Version 7.40 implemented a fix, but it could be bypassed via URL-encoding the Javascript payload again.
CVE-2024-5405 2026-04-15 6.3 Medium
A vulnerability had been discovered in WinNMP 19.02 consisting of an XSS attack via /tools/redis.php page in the k, hash, key and p parameters. This vulnerability could allow a remote user to submit a specially crafted JavaScript payload for an authenticated user to retrieve their session details.
CVE-2025-0354 2026-04-15 4.8 Medium
Cross-site scripting vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver.1.2.4 and earlier allows a attacker to inject an arbitrary script via the network.
CVE-2025-22724 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MojofyWP Product Carousel For WooCommerce – WoorouSell allows Stored XSS.This issue affects Product Carousel For WooCommerce – WoorouSell: from n/a through 1.1.0.