Export limit exceeded: 47293 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47293 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10943 | 2026-04-15 | 3.5 Low | ||
| A security flaw has been discovered in MikeCen WeChat-Face-Recognition up to 6e3f72bf8547d80b59e330f1137e4aa505f492c1. This vulnerability affects the function valid of the file wx.php. The manipulation of the argument echostr results in cross site scripting. The attack can be launched remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11183 | 2026-04-15 | N/A | ||
| Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 <2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in the page | ||||
| CVE-2025-11220 | 2 Elementor, Wordpress | 2 Elementor, Wordpress | 2026-04-15 | 6.4 Medium |
| The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2022-50942 | 1 Icinga | 1 Icinga Web 2 | 2026-04-15 | 5.4 Medium |
| Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks. | ||||
| CVE-2022-50952 | 1 Banco De Guayaquil | 1 Banco Guayaquil | 2026-04-15 | 6.4 Medium |
| Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST request that executes on application review without user interaction. | ||||
| CVE-2025-24027 | 2026-04-15 | 6.2 Medium | ||
| ps_contactinfo, a PrestaShop module for displaying store contact information, has a cross-site scripting (XSS) vulnerability in versions up to and including 3.3.2. This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned. For example, if the shop has a third party module vulnerable to SQL injections, then ps_contactinfo might execute a stored cross-site scripting in formatting objects. Commit d60f9a5634b4fc2d3a8831fb08fe2e1f23cbfa39 keeps formatted addresses from displaying a XSS stored in the database, and the fix is expected to be available in version 3.3.3. No workarounds are available aside from applying the fix and keeping all modules maintained and update. | ||||
| CVE-2025-11737 | 2 Kurudrive, Wordpress | 2 Vk All In One Expansion Unit, Wordpress | 2026-04-15 | 6.4 Medium |
| The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-24372 | 1 Ckan | 1 Ckan | 2026-04-15 | 7.3 High |
| CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability. This vulnerability has been fixed in CKAN 2.10.7 and 2.11.2. Users are advised to upgrade. On versions prior to CKAN 2.10.7 and 2.11.2, site maintainers can restrict the file types supported for uploading using the `ckan.upload.user.mimetypes` / `ckan.upload.user.types` and `ckan.upload.group.mimetypes` / `ckan.upload.group.types` config options. To entirely disable file uploads users can use: `ckan.upload.user.types = none` | ||||
| CVE-2025-21612 | 2026-04-15 | 8.6 High | ||
| TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2. | ||||
| CVE-2025-24810 | 2026-04-15 | N/A | ||
| Cross-site scripting vulnerability exists in Simple Image Sizes 3.2.3 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege and accessing the settings screen. | ||||
| CVE-2025-14830 | 1 Jfrog | 1 Artifactory | 2026-04-15 | 4.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10. | ||||
| CVE-2025-15134 | 2026-04-15 | 3.5 Low | ||
| A security flaw has been discovered in yourmaileyes MOOC up to 1.17. This affects the function subreview of the file mooc/controller/MainController.java of the component Submission Handler. Performing manipulation of the argument review results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2025-15248 | 2026-04-15 | 3.5 Low | ||
| A security flaw has been discovered in sunhailin12315 product-review 商品评价系统 up to 91ead6890b4065bb45b7602d0d73348e75cb4639. This affects an unknown part of the component Write a Review. Performing manipulation of the argument content results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2025-25570 | 2026-04-15 | 9.8 Critical | ||
| Vue Vben Admin 2.10.1 allows unauthorized login to the backend due to an issue with hardcoded credentials. | ||||
| CVE-2025-1529 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-25200 | 2026-04-15 | 4.7 Medium | ||
| An HTML injection vulnerability exists in the MT Safeline X-Ray X3310 webserver version NXG 19.05 that enables a remote attacker to render malicious HTML and obtain sensitive information in a victim's browser. | ||||
| CVE-2023-25199 | 2026-04-15 | 5.4 Medium | ||
| A reflected cross-site scripting (XSS) vulnerability exists in the MT Safeline X-Ray X3310 webserver version NXG 19.05 that enables a remote attacker to execute JavaScript code and obtain sensitive information in a victim's browser. | ||||
| CVE-2024-13463 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The SeatReg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'seatreg' shortcode in all versions up to, and including, 1.56.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-15454 | 1 Zhanglun | 1 Lettura | 2026-04-15 | 3.1 Low |
| A vulnerability was detected in zhanglun lettura up to 0.1.22. This issue affects some unknown processing of the file src/components/ArticleView/ContentRender.tsx of the component RSS Handler. The manipulation results in cross site scripting. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used. The patch is identified as 67213093db9923e828a6e3fd8696a998c85da2d4. It is best practice to apply a patch to resolve this issue. | ||||
| CVE-2023-26566 | 1 Sangoma | 1 Freepbx | 2026-04-15 | 8.6 High |
| Sangoma FreePBX 1805 through 2203 on Linux contains hardcoded credentials for the Asterisk REST Interface (ARI), which allows remote attackers to reconfigure Asterisk and make external and internal calls via HTTP and WebSocket requests sent to the API. | ||||