Export limit exceeded: 47274 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47274 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5303 | 2026-04-15 | 7.2 High | ||
| The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-55864 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-site scripting vulnerability exists in My WP Customize Admin/Frontend versions prior to ver 1.24.1. If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the page. | ||||
| CVE-2024-55958 | 2026-04-15 | 4.8 Medium | ||
| Northern.tech CFEngine Enterprise Mission Portal 3.24.0, 3.21.5, and below allows XSS. The fixed versions are 3.24.1 and 3.21.6. | ||||
| CVE-2025-53369 | 2026-04-15 | 8.6 High | ||
| Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 4.0.1. | ||||
| CVE-2024-6485 | 2 Getbootstrap, Redhat | 2 Bootstrap, Discovery | 2026-04-15 | 6.4 Medium |
| A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered. | ||||
| CVE-2025-53423 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Triss triss allows Reflected XSS.This issue affects Triss: from n/a through <= 2.6. | ||||
| CVE-2025-53427 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chibueze Okechukwu SEO Pyramid seo-pyramid allows Reflected XSS.This issue affects SEO Pyramid: from n/a through <= 1.9.8. | ||||
| CVE-2025-53491 | 2026-04-15 | 5.4 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - FlaggedRevs Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FlaggedRevs Extension: from 1.43.X before 1.43.2. | ||||
| CVE-2025-53478 | 2026-04-15 | 5.4 Medium | ||
| The CheckUser extension’s Special:Investigate interface is vulnerable to reflected XSS due to improper escaping of certain internationalized system messages rendered on the “IPs and User agents” tab. This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-53479 | 2026-04-15 | 5.4 Medium | ||
| The CheckUser extension’s Special:CheckUser interface is vulnerable to reflected XSS via the rev-deleted-user message. This message is rendered without proper escaping, making it possible to inject JavaScript through the uselang=x-xss language override mechanism. This issue affects Mediawiki - CheckUser extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-53482 | 2026-04-15 | 6.1 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - IPInfo Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - IPInfo Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-53484 | 2026-04-15 | 9.8 Critical | ||
| User-controlled inputs are improperly escaped in: * VotePage.php (poll option input) * ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names) This allows attackers to inject JavaScript and compromise user sessions under certain conditions. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-53486 | 2026-04-15 | 5.4 Medium | ||
| The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud. The vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement. This issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-53487 | 2026-04-15 | 5.4 Medium | ||
| The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped. This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-53488 | 2026-04-15 | 6.1 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - WikiHiero Extension allows Stored XSS.This issue affects Mediawiki - WikiHiero Extension: from 1.43.X before 1.43.2. | ||||
| CVE-2025-53496 | 2026-04-15 | 5.4 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MediaSearch Extension allows Stored XSS.This issue affects Mediawiki - MediaSearch Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-53497 | 2026-04-15 | 5.4 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RelatedArticles Extension allows Stored XSS.This issue affects Mediawiki - RelatedArticles Extension: from 1.43.X before 1.43.2. | ||||
| CVE-2025-0602 | 2026-04-15 | 8.7 High | ||
| A stored Cross-site Scripting (XSS) vulnerability affecting Compare in Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | ||||
| CVE-2025-53754 | 2026-04-15 | N/A | ||
| This vulnerability exists in Digisol DG-GR6821AC Router due to hard-coded Root Access Credentials in system configuration of the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to obtain the stored root access credentials. Successful exploitation of this vulnerability could allow the attacker to gain admin access to the targeted device. | ||||
| CVE-2025-53842 | 2026-04-15 | N/A | ||
| Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838. | ||||