Skip to main content
CVE-2025-67124 MEDIUM POC PATCH This Month

Miniserve versions up to 0.32.0 is affected by improper link resolution before file access (CVSS 6.8).

Race Condition Miniserve
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2021-47906 MEDIUM POC This Month

BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]

XSS
NVD GitHub Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24127 MEDIUM POC PATCH This Month

Reflected XSS in Typemill's login error page allows unauthenticated attackers to inject malicious scripts by crafting requests with specially formatted usernames, since the username parameter lacks proper encoding when displayed after failed authentication attempts. Typemill versions 2.19.1 and below are affected, and public exploit code exists for this vulnerability. Version 2.19.2 contains the fix.

XSS Typemill
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-70458 MEDIUM POC This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. [CVSS 5.4 MEDIUM]

XSS Domain Availability Checker
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2021-47905 MEDIUM POC This Month

account deletion reason input field. Attackers can inject malicious scripts is affected by cross-site scripting (xss) (CVSS 6.1).

XSS Delete Account
NVD GitHub Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2018-25132 MEDIUM POC This Month

MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget. [CVSS 6.1 MEDIUM]

XSS Trending Widget
NVD GitHub Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2018-25116 MEDIUM POC This Month

custom text input field for thread redirects. Attackers can inject malicious SVG scripts is affected by cross-site scripting (xss) (CVSS 6.1).

XSS Thread Redirect
NVD GitHub Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-71177 MEDIUM POC This Month

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. [CVSS 5.4 MEDIUM]

XSS Lavalite
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-67125 MEDIUM POC This Month

A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. [CVSS 4.4 MEDIUM]

Integer Overflow Docopt.Cpp
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2021-47899 MEDIUM POC This Month

YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. [CVSS 4.0 MEDIUM]

SSRF
NVD Exploit-DB
CVSS 3.1
4.0
EPSS
0.1%
CVE-2025-14947 MEDIUM This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24630 MEDIUM This Month

Design Stylish Cost Calculator stylish-cost-calculator is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24617 MEDIUM This Month

Stored XSS in Easy Modal WordPress plugin through version 2.1.0 enables authenticated attackers to inject malicious scripts that execute in the browsers of other users. An attacker with login credentials can store arbitrary JavaScript through improper input validation, affecting all visitors who view the compromised content. No patch is currently available to remediate this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24565 MEDIUM This Month

The B Accordion WordPress plugin through version 2.0.0 exposes sensitive data in transmitted communications due to improper handling of embedded information. An authenticated attacker can intercept and retrieve this sensitive data, potentially compromising confidential information. No patch is currently available for this vulnerability.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24528 MEDIUM This Month

DOM-based cross-site scripting in pixelgrade Nova Blocks through version 2.1.9 enables authenticated attackers to inject malicious scripts that execute in users' browsers with limited privileges. An attacker with valid credentials can craft requests to manipulate the page generation process, potentially compromising confidentiality, integrity, and availability across different security contexts. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24526 MEDIUM This Month

The Email Inquiry & Cart Options for WooCommerce plugin through version 3.4.3 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting improper input neutralization. An attacker with user-level access can craft requests that execute arbitrary JavaScript in victims' browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24616 MEDIUM This Month

Damian WP Popups plugin for WordPress versions up to 2.2.0.3 contains an authorization bypass that allows authenticated users to access sensitive information through improperly configured access controls. An attacker with low-privilege WordPress credentials could exploit this to read confidential data without proper authorization. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24585 MEDIUM This Month

Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration is affected by missing authorization (CVSS 6.5).

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24566 MEDIUM This Month

iNET Webkit through version 1.2.4 contains a missing authorization control vulnerability that allows authenticated users to bypass access control restrictions and gain unauthorized read access to sensitive information. An attacker with valid credentials could exploit improperly configured security levels to access data they should not have permission to view. No patch is currently available for this vulnerability.

NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24558 MEDIUM This Month

Stored XSS in ABG Rich Pins version 1.1 and earlier permits authenticated users to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with plugin access could deface content or steal session data from site visitors. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24555 MEDIUM This Month

Stored cross-site scripting in ArtPlacer Widget versions 2.23.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers when viewing affected web pages. An unauthenticated attacker can exploit improper input validation during web page generation to compromise user sessions and steal sensitive data. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24550 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Kaira Blockons versions up to 1.2.15 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session tokens or performing actions on their behalf. The vulnerability requires user interaction to trigger and has limited scope, but impacts both confidentiality and integrity. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22274 MEDIUM This Month

Elastic Cloud Storage versions up to 3.8.1.7 is affected by cleartext transmission of sensitive information (CVSS 6.5).

Information Disclosure Dell Objectscale Elastic Cloud Storage
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0767 MEDIUM This Month

Open WebUI transmits authentication credentials in cleartext over the network, enabling adjacent attackers to intercept and obtain sensitive information without authentication. This information disclosure vulnerability can facilitate unauthorized access and further compromise of affected systems. No patch is currently available.

Information Disclosure Open Webui
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24601 MEDIUM This Month

Stored XSS in Penci Pay Writer versions up to 1.5 allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising sensitive data or session information. The vulnerability stems from insufficient input validation during web page generation and requires user interaction to trigger. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24600 MEDIUM This Month

Stored cross-site scripting in PenciDesign Penci Review through version 3.5 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising user sessions and data. The vulnerability requires user interaction to trigger and affects the web application's page generation functionality. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24591 MEDIUM This Month

yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion is affected by cross-site scripting (xss) (CVSS 5.4).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24576 MEDIUM This Month

COP UX Flat through version 5.4.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages, affecting all users who view the compromised content. An attacker with user-level access can craft malicious input that persists in the application and executes in victims' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14069 MEDIUM This Month

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15522 MEDIUM This Month

The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0914 MEDIUM This Month

Stored cross-site scripting in the WP DSGVO Tools WordPress plugin through version 3.1.36 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via the 'lw_content_block' shortcode due to improper input sanitization. When visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14745 MEDIUM This Month

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0788 MEDIUM This Month

8180 Ip Audio Alerter Firmware versions up to 5.5 is affected by cross-site scripting (xss) (CVSS 6.1).

Golang XSS 8180 Ip Audio Alerter Firmware
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1386 MEDIUM This Month

Firecracker contains a vulnerability that allows attackers to a local host user with write access to the pre-created jailer directories to ove (CVSS 6.0).

Linux Firecracker Red Hat Suse
NVD GitHub
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-67231 MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload. [CVSS 5.9 MEDIUM]

XSS Builder
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24632 MEDIUM This Month

DOM-based cross-site scripting (XSS) in the Delay Redirects browser extension through version 1.0.0 enables attackers to inject malicious scripts that execute in users' browsers. An attacker can exploit this vulnerability to steal sensitive data, session cookies, or perform actions on behalf of affected users. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24629 MEDIUM This Month

Stored cross-site scripting in Ability Inc's Web Accessibility with Max Access toolbar (versions through 2.1.0) enables authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. An attacker with administrative access could manipulate the toolbar to store XSS payloads that compromise confidentiality, integrity, and availability of the affected web application. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24626 MEDIUM This Month

Stored cross-site scripting in LogicHunt Logo Slider WordPress plugin versions up to 4.9.0 enables authenticated attackers with high privileges to inject malicious scripts that execute in other users' browsers. An attacker could leverage this to steal session tokens, deface content, or perform actions on behalf of affected users. No patch is currently available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24620 MEDIUM This Month

PluginOps Landing Page Builder page-builder-add is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24614 MEDIUM This Month

Devsbrain Flex QR Code Generator flex-qr-code-generator is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24621 MEDIUM This Month

Vladimir Statsenko Terms descriptions terms-descriptions is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-9290 MEDIUM This Month

An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values.

Information Disclosure Eap100 Bridge Kit Firmware Er605 Firmware Eap723 Firmware Eap215 Bridge Kit Firmware +52
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24584 MEDIUM This Month

Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24594 MEDIUM This Month

livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24137 MEDIUM PATCH This Month

The Golang sigstore framework versions 1.10.3 and below fail to validate cache directory paths in the legacy TUF client, allowing a malicious TUF repository to overwrite arbitrary files on disk within the calling process's permission scope. This impacts direct users of the TUF client in sigstore/sigstore and older Cosign versions, though public Sigstore deployments are protected by metadata validation from trusted collaborators. No patch is currently available for this medium-severity path traversal vulnerability.

Golang Github Red Hat Suse
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-22992 MEDIUM PATCH This Month

The Linux kernel's Ceph authentication handler fails to properly propagate errors from mon_handle_auth_done(), allowing the msgr2 protocol to proceed with session establishment even when authentication fails in secure mode. This can trigger a NULL pointer dereference in prepare_auth_signature(), causing a denial of service on systems using Ceph for storage or communication. Local attackers with privileges to interact with Ceph authentication can crash the kernel or cause system instability.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71154 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. [CVSS 5.5 MEDIUM]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22993 MEDIUM PATCH This Month

The Linux kernel's idpf driver contains a NULL pointer dereference in its RSS LUT handling that can be triggered when ethtool commands access the RSS lookup table immediately after a soft reset. Local users with standard privileges can crash the system by performing queue count changes followed by ethtool operations on the affected network interface. A patch is available to properly manage RSS LUT state during soft resets based on queue count changes.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22987 MEDIUM PATCH This Month

A null pointer dereference in the Linux kernel's traffic control action module (act_api) causes a denial of service during network namespace teardown when invalid error pointers are dereferenced. A local attacker with low privileges can trigger this crash by manipulating tc actions during system shutdown or container termination. A patch is available to guard against ERR_PTR entries during action cleanup.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22985 MEDIUM PATCH This Month

The Linux kernel's idpf driver crashes with a NULL pointer dereference when ethtool RSS operations are performed before the network interface is brought up, affecting systems using this driver. A local attacker with unprivileged user access can trigger a denial of service by executing RSS configuration commands on a down interface. The vulnerability is resolved by initializing the RSS lookup table during vport creation rather than at interface startup.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy