Skip to main content
CVE-2026-0608 MEDIUM This Month

Stored XSS in WordPress Head Meta Data plugin (versions up to 20251118) allows authenticated contributors and above to inject malicious scripts into post metadata that execute when users visit affected pages, due to inadequate input sanitization. An attacker with contributor-level access can exploit insufficient output escaping to persistently compromise page content across all site visitors. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-36408 MEDIUM This Month

IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 6.4 MEDIUM]

IBM XSS Applinx
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-36115 MEDIUM This Month

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by session fixation (CVSS 6.3).

IBM
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-36065 MEDIUM This Month

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by insufficient session expiration (CVSS 6.3).

IBM
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-36063 MEDIUM This Month

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by insufficient session expiration (CVSS 6.3).

IBM
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-36066 MEDIUM This Month

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 6.1).

IBM XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-67263 MEDIUM This Month

Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. [CVSS 6.1 MEDIUM]

XSS Retail Point Of Sale
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-67824 MEDIUM This Month

WorklogPRO - Jira Timesheets plugin in the Jira Data Center versions up to 4.24.2 is affected by cross-site scripting (xss) (CVSS 6.1).

Jira XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-66523 MEDIUM This Month

URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. [CVSS 6.1 MEDIUM]

XSS Esign
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21664 MEDIUM This Month

Revive Adserver's afr.php script contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through crafted URLs targeting logged-in administrators. An attacker can exploit this to execute arbitrary JavaScript in an admin's browser session, potentially leading to unauthorized actions or credential theft. No patch is currently available for this vulnerability.

PHP XSS Revive Adserver
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-21663 MEDIUM This Month

Revive Adserver's banner-acl.php script contains a reflected cross-site scripting vulnerability that allows attackers to execute arbitrary scripts in the browsers of authenticated administrators through a crafted URL. An attacker can inject malicious HTML payloads into vulnerable parameters, which execute when an admin visits the malicious link, potentially compromising administrative sessions and server configuration. No patch is currently available for this vulnerability.

PHP XSS Revive Adserver
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-21642 MEDIUM This Month

Revive Adserver's banner-acl.php and channel-acl.php scripts contain reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary JavaScript in an administrator's browser by crafting malicious URLs. An authenticated attacker can exploit this to perform actions with administrative privileges if a logged-in admin visits the crafted link. No patch is currently available for this vulnerability affecting PHP-based Revive Adserver installations.

PHP XSS Revive Adserver
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-21961 MEDIUM This Month

Unauthenticated attackers can exploit a cross-site request forgery vulnerability in Oracle PeopleSoft Enterprise HCM Human Resources 9.2 through the Company Directory/Org Chart Viewer component to read, modify, or delete sensitive employee data via HTTP with user interaction. The vulnerability requires a victim to click a malicious link but impacts multiple PeopleSoft products and modules beyond the initial target. No patch is currently available for this medium-severity issue (CVSS 6.1).

Oracle Peoplesoft Enterprise Hcm Human Resources
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21951 MEDIUM This Month

Peoplesoft Enterprise Peopletools versions up to 8.60 is affected by cross-site scripting (xss) (CVSS 6.1).

Oracle Peoplesoft Enterprise Peopletools
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21946 MEDIUM This Month

JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.0 are vulnerable to cross-site scripting (XSS) in the Web Runtime SEC component, allowing unauthenticated attackers to manipulate data and read sensitive information through HTTP with user interaction. The vulnerability has network-wide scope, potentially compromising connected systems beyond the primary application. No patch is currently available.

Oracle Jd Edwards Enterpriseone Tools
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21943 MEDIUM This Month

Reflected cross-site scripting in Oracle E-Business Suite Scripting Admin (versions 12.2.3-12.2.15) allows unauthenticated attackers to modify or read sensitive data via malicious HTTP requests that require user interaction. The vulnerability can impact other Oracle products due to scope changes and currently lacks an available patch. CVSS 6.1 (Medium) reflects low-complexity network-based exploitation with confidentiality and integrity impacts.

Oracle Scripting
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21966 MEDIUM This Month

Hospitality Opera 5 versions up to 5.6.19.23 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Hospitality OPERA (CVSS 6.1).

Oracle Hospitality Opera 5
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21938 MEDIUM This Month

Peoplesoft Enterprise Peopletools versions up to 8.60 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of PeopleSoft Enterprise Pe (CVSS 6.1).

Oracle Peoplesoft Enterprise Peopletools
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21933 MEDIUM PATCH CISA This Month

Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 6.1).

Oracle Java Authentication Bypass
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21985 MEDIUM This Month

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle VM Virtual (CVSS 6.0).

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-21963 MEDIUM This Month

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 6.0 MEDIUM]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-15366 MEDIUM PATCH This Month

The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Command Injection Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.1%
CVE-2025-1722 MEDIUM This Month

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to a remote attacker to obtain sensitive information from allocated memory due to i (CVSS 5.9).

IBM Concert
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-1719 MEDIUM This Month

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to a remote attacker to obtain sensitive information from allocated memory due to i (CVSS 5.9).

IBM Concert
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-58742 MEDIUM This Month

Imagedirector Capture versions up to 7.6.3.25808. is affected by insufficiently protected credentials (CVSS 5.9).

Windows Imagedirector Capture
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-1180 MEDIUM PATCH This Month

Keycloak's OpenID Connect Dynamic Client Registration feature fails to validate jwks_uri values when clients authenticate via private_key_jwt, allowing attackers to redirect the server to arbitrary network endpoints. This enables reconnaissance and information disclosure attacks against internal services and cloud metadata endpoints accessible from the Keycloak server. No patch is currently available for this MEDIUM severity vulnerability.

Information Disclosure SSRF Red Hat
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-21935 MEDIUM This Month

Solaris versions up to 11 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 5.8).

Oracle Solaris
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-21927 MEDIUM This Month

Solaris versions up to 10 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 5.8).

Oracle Solaris
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-41768 MEDIUM This Month

An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting'). [CVSS 5.5 MEDIUM]

XSS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-14369 MEDIUM This Month

dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. [CVSS 5.5 MEDIUM]

Integer Overflow Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-36058 MEDIUM This Month

Business Automation Workflow versions up to 24.0.0 is affected by insertion of sensitive information into externally-accessible file (CVSS 5.5).

IBM Business Automation Workflow
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-58740 MEDIUM This Month

Imagedirector Capture versions up to 7.6.3.25808. is affected by use of hard-coded cryptographic key (CVSS 5.5).

Windows Imagedirector Capture
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-15043 MEDIUM This Month

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. [CVSS 5.4 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-0548 MEDIUM This Month

Tutor LMS plugin for WordPress through version 3.9.4 fails to validate user permissions on the delete_existing_user_photo function, allowing authenticated subscribers and higher-privileged users to delete arbitrary attachments. This integrity and availability vulnerability requires an active WordPress account but no elevated privileges, making it exploitable by low-level users to disrupt site content.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-15466 MEDIUM This Month

Image Photo Gallery Final Tiles Grid (WordPress plugin) versions up to 3.6.9. is affected by missing authorization (CVSS 5.4).

WordPress PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36397 MEDIUM This Month

IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. [CVSS 5.4 MEDIUM]

IBM Application Gateway
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0903 MEDIUM PATCH This Month

Google Chrome's Downloads feature on Windows versions before 144.0.7559.59 fails to properly validate file types, enabling remote attackers to circumvent safety protections for dangerous files through crafted malicious uploads. An unauthenticated attacker can exploit this via a specially designed file to bypass download security warnings. No patch is currently available for this medium-severity vulnerability.

Google Windows Chrome Suse
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-41025 MEDIUM This Month

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

PHP XSS Poultry Farm Management System
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-41024 MEDIUM This Month

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

PHP XSS Poultry Farm Management System
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0904 MEDIUM PATCH This Month

Chrome versions up to 144.0.7559.59 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0901 MEDIUM PATCH This Month

Chrome versions up to 144.0.7559.59 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).

Google Android Chrome Suse
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36409 MEDIUM This Month

IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

IBM XSS Applinx
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36396 MEDIUM This Month

IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

IBM XSS Application Gateway
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36113 MEDIUM This Month

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 5.4).

IBM XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21971 MEDIUM This Month

Peoplesoft Supply Chain Management Purchasing versions up to 9.2 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of PeopleSoft Enterprise SC (CVSS 5.4).

Oracle Peoplesoft Supply Chain Management Purchasing
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21934 MEDIUM This Month

Peoplesoft Enterprise Peopletools versions up to 8.60 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of PeopleSoft Enterprise Pe (CVSS 5.4).

Oracle Peoplesoft Enterprise Peopletools
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21931 MEDIUM This Month

Apex versions up to 23.2.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle APEX Sample Appli (CVSS 5.4).

Oracle Apex
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21924 MEDIUM This Month

Utilities Framework versions up to 4.3.0.3.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Utilities Applica (CVSS 5.4).

Oracle Utilities Framework
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14978 MEDIUM This Month

The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. [CVSS 5.3 MEDIUM]

WordPress .NET PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14351 MEDIUM This Month

The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy