Skip to main content
CVE-2021-47815 MEDIUM POC This Month

Nsauditor 3.2.3 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can paste a large buffer of 256 repeated characters into the 'Key' field to trigger an application crash. [CVSS 7.5 HIGH]

Denial Of Service Buffer Overflow Nsauditor
NVD Exploit-DB VulDB
CVSS 4.0
6.7
EPSS
0.0%
CVE-2021-47814 MEDIUM POC This Month

NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a 256-character buffer into the registration key field to trigger an application crash and potential system instability. [CVSS 7.5 HIGH]

Denial Of Service Nbmonitor Buffer Overflow
NVD Exploit-DB VulDB
CVSS 4.0
6.7
EPSS
0.0%
CVE-2021-47834 MEDIUM POC This Month

Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users. [CVSS 6.4 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47795 MEDIUM POC This Month

GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. [CVSS 6.2 MEDIUM]

RCE XSS LFI Path Traversal
NVD Exploit-DB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-56451 MEDIUM POC This Month

A8\+ Collaborative Management versions up to 7.0 is affected by cross-site scripting (xss) (CVSS 6.1).

XSS A8 Collaborative Management
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23727 MEDIUM POC PATCH This Month

WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external websites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks that abuse the trusted WeGIA domain. The vulnerability is resolved in version 3.6.2.

PHP Open Redirect Wegia
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2021-47841 MEDIUM POC This Month

SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs. [CVSS 6.1 MEDIUM]

XSS
NVD GitHub Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2021-47844 MEDIUM POC This Month

Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. [CVSS 6.1 MEDIUM]

RCE XSS
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23645 MEDIUM POC PATCH This Month

SiYuan prior to version 3.5.4-dev2 fails to sanitize SVG file uploads, allowing authenticated attackers to embed malicious JavaScript that executes when other users view the files. Public exploit code exists for this stored XSS vulnerability, which can compromise user sessions and access sensitive knowledge management data. The vulnerability affects self-hosted instances where users can upload SVG content from untrusted sources.

XSS Siyuan Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23768 MEDIUM POC This Month

Lucy XSS Filter with ObjectSecurityListener or EmbedSecurityListener enabled is vulnerable to server-side request forgery (SSRF) via malformed embed or object tags lacking file extensions in src attributes, allowing remote attackers to trigger arbitrary HEAD requests to internal or external URLs. Public exploit code exists for this vulnerability, and no patch is currently available.

SSRF XSS Lucy Xss Filter
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23730 MEDIUM POC PATCH This Month

WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability. The flaw is resolved in version 3.6.2 and later.

PHP Open Redirect Wegia
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23729 MEDIUM POC PATCH This Month

WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks while maintaining the appearance of a trusted WeGIA domain. The vulnerability is resolved in WeGIA 3.6.2 and later versions.

PHP Open Redirect Wegia
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23728 MEDIUM POC PATCH This Month

WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to properly validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, enabling attackers to conduct phishing campaigns and credential harvesting attacks while leveraging the trust associated with the legitimate WeGIA domain. Update to version 3.6.2 or later to remediate this issue.

PHP Open Redirect Wegia
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23726 MEDIUM POC PATCH This Month

WeGIA prior to version 3.6.2 contains an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to craft malicious links redirecting users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability, which affects all users who click attacker-controlled links within the application. The vulnerability is resolved in version 3.6.2.

PHP Open Redirect Wegia
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69581 MEDIUM POC This Month

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. [CVSS 5.5 MEDIUM]

Information Disclosure Chamilo Lms
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2021-47779 MEDIUM POC This Month

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. [CVSS 5.4 MEDIUM]

XSS Privilege Escalation Dolibarr Erp Crm
NVD GitHub Exploit-DB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23725 MEDIUM POC PATCH This Month

Stored XSS in WeGIA before version 3.6.2 allows authenticated users to inject malicious scripts into adopter information fields that execute in the browsers of all visitors to the affected pages. Public exploit code exists for this vulnerability, which impacts the html/pet/adotantes/cadastro_adotante.php and informacao_adotantes.php endpoints. Organizations should upgrade to version 3.6.2 or later to mitigate the risk of persistent JavaScript injection attacks.

PHP XSS Wegia
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2021-47808 MEDIUM POC This Month

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page. [CVSS 5.4 MEDIUM]

XSS Cotonti Siena
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2021-47783 MEDIUM POC This Month

Phpwcms versions up to 1.9.30 is affected by unrestricted upload of file with dangerous type (CVSS 5.4).

XSS Phpwcms
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-15528 MEDIUM POC PATCH This Month

A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. [CVSS 5.3 MEDIUM]

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-15529 MEDIUM POC PATCH This Month

A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. [CVSS 5.3 MEDIUM]

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-15104 MEDIUM POC This Month

Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. [CVSS 5.3 MEDIUM]

DNS Validator
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2021-47800 MEDIUM POC This Month

b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage. [CVSS 5.3 MEDIUM]

CSRF
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2021-47820 MEDIUM POC This Month

Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent. [CVSS 5.3 MEDIUM]

CSRF
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2021-47839 MEDIUM POC This Month

Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. [CVSS 7.2 HIGH]

RCE XSS
NVD GitHub Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47836 MEDIUM POC This Month

Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access. [CVSS 6.1 MEDIUM]

XSS
NVD GitHub Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-23724 MEDIUM POC PATCH This Month

Stored XSS in WeGIA's attendance incident form allows authenticated attackers to inject malicious scripts through unsanitized dropdown fields, affecting versions prior to 3.6.2. An attacker with login credentials can craft payloads that execute in other users' browsers when they view the affected page. Public exploit code exists for this vulnerability, and a patch is available in version 3.6.2 and later.

PHP XSS Wegia
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23731 MEDIUM POC PATCH This Month

WeGIA prior to version 3.6.2 lacks framing protection headers (X-Frame-Options and Content-Security-Policy), allowing attackers to perform clickjacking attacks by embedding the application within malicious web pages to trick users into unintended actions. Public exploit code exists for this vulnerability, affecting charitable institutions using vulnerable versions of the web manager.

XSS Wegia
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14435 MEDIUM PATCH This Month

Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. [CVSS 6.8 MEDIUM]

Denial Of Service Mattermost Server Suse
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-24531 MEDIUM PATCH This Month

In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. [CVSS 6.7 MEDIUM]

Authentication Bypass Red Hat Suse
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-12641 MEDIUM This Month

The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22876 MEDIUM This Month

TOA Corporation TRIFORA 3 series network cameras contain a path traversal vulnerability that allows authenticated users with monitoring privileges or higher to read arbitrary files from the device. An attacker with valid credentials can exploit this flaw to access sensitive information stored on the affected cameras. No patch is currently available for this vulnerability.

Path Traversal
NVD
CVSS 3.0
6.5
EPSS
0.0%
CVE-2026-0696 MEDIUM This Month

Professional Service Automation contains a vulnerability that allows attackers to client-side scripts access to session cookie values (CVSS 6.5).

Information Disclosure Professional Service Automation
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0949 MEDIUM This Month

Postgres Enterprise Manager versions up to 9.8.1 is affected by cross-site scripting (xss) (CVSS 6.5).

XSS Postgres Enterprise Manager
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1000 MEDIUM This Month

The MailerLite WooCommerce integration plugin for WordPress fails to validate user permissions in its resetIntegration() function, allowing authenticated users with Subscriber-level access to delete critical plugin data including customer cart records and sync histories. Attackers can reset integration settings and drop associated database tables, resulting in complete loss of operational data without administrative authorization. No patch is currently available for versions up to 3.1.3.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0913 MEDIUM This Month

Stored cross-site scripting in the User Submitted Posts WordPress plugin through version 20260110 allows authenticated Contributor-level users to inject malicious scripts via the 'usp_access' shortcode due to inadequate input sanitization. When other users visit pages containing the injected payload, the attacker's JavaScript executes in their browsers, potentially enabling session hijacking or unauthorized actions. No patch is currently available to remediate this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0916 MEDIUM This Month

Stored XSS in the Related Posts by Taxonomy WordPress plugin through version 2.7.6 allows contributors and higher-privileged authenticated users to inject malicious scripts into shortcode attributes that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content viewed by site visitors. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14375 MEDIUM This Month

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-23528 MEDIUM PATCH This Month

Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]

Linux Python AI / ML Dask
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1011 MEDIUM This Month

Stored XSS in Altium Live's Support Center AddComment endpoint allows attackers to inject malicious JavaScript that persists and executes when support staff or other users view affected support cases. The vulnerability stems from inadequate server-side input validation that bypasses client-side HTML escaping, enabling attackers to compromise elevated-privilege support accounts through victim browser execution. No patch is currently available.

XSS Altium Live
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23769 MEDIUM PATCH This Month

lucy-xss-filter before commit e5826c0 contains a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through improper input sanitization caused by misconfigured default filter rules. The vulnerability requires user interaction to trigger and affects the confidentiality and integrity of web applications relying on this filter. A patch is available to address the misconfigured rule set.

XSS Lucy Xss Filter
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-43508 MEDIUM This Month

Macos versions up to 26.0 is affected by insertion of sensitive information into log file (CVSS 5.5).

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23643 MEDIUM PATCH This Month

CakePHP versions prior to 5.2.12 and 5.3.1 contain a stored cross-site scripting vulnerability in the PaginatorHelper::limitControl() method that allows unauthenticated attackers to inject malicious scripts through query string parameters. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The vulnerability requires user interaction to trigger but affects all installations using the vulnerable PaginatorHelper component.

Red Hat Cakephp
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21624 MEDIUM This Month

Insufficient input validation in the Easy Discuss component for Joomla allows authenticated users to inject persistent cross-site scripting (XSS) payloads through user avatar text fields. An attacker with valid credentials can exploit this to execute malicious scripts in the browsers of other users viewing affected content. The vulnerability affects Joomla installations using the vulnerable Easy Discuss component, with no patch currently available.

Joomla XSS Easydiscuss
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21623 MEDIUM This Month

Stored cross-site scripting in Joomla's Easy Discuss component allows authenticated users to inject malicious scripts into forum posts due to insufficient input validation. An attacker with login credentials can execute arbitrary JavaScript in the browsers of other users viewing affected posts, potentially leading to session hijacking or credential theft. No patch is currently available for this vulnerability.

Joomla XSS Easydiscuss
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14757 MEDIUM PATCH This Month

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via wi...

WordPress Cost Calculator Builder PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0939 MEDIUM This Month

Rede Itaú for WooCommerce (WordPress plugin) versions up to 5.1.2. is affected by insufficient verification of data authenticity (CVSS 5.3).

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0942 MEDIUM This Month

The Rede Itaú for WooCommerce plugin versions up to 5.1.2 lack proper authentication controls on the clearOrderLogs() function, allowing unauthenticated attackers to remotely delete order log metadata from WooCommerce installations. This missing capability check enables data tampering on affected WordPress sites without requiring user credentials. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1020 MEDIUM This Month

Gotac's Police Statistics Database System contains a path traversal vulnerability that enables unauthenticated remote attackers to enumerate system directories and access sensitive files. The flaw affects industrial and law enforcement deployments with network accessibility, potentially exposing confidential database contents and system architecture details. No patch is currently available for this medium-severity vulnerability.

Industrial Path Traversal Police Statistics Database System
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1004 MEDIUM This Month

Essential Addons for Elementor (WordPress plugin) versions up to 6.5.5 is affected by missing authorization (CVSS 5.3).

WordPress Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy