Monthly
Stored Cross-Site Scripting in the Ajax Load More WordPress plugin (versions through 7.0.1) allows authenticated administrators to inject persistent malicious scripts into pages served to other users. The vulnerability stems from insufficient input sanitization and output escaping in admin-facing settings fields. Exploitation is constrained to WordPress multisite environments or sites with unfiltered_html disabled, and no public exploit or KEV listing exists at time of analysis, keeping real-world risk moderate despite the network-accessible vector.
A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the checkin.php component. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Stored Cross-Site Scripting in the Ajax Load More WordPress plugin (versions through 7.0.1) allows authenticated administrators to inject persistent malicious scripts into pages served to other users. The vulnerability stems from insufficient input sanitization and output escaping in admin-facing settings fields. Exploitation is constrained to WordPress multisite environments or sites with unfiltered_html disabled, and no public exploit or KEV listing exists at time of analysis, keeping real-world risk moderate despite the network-accessible vector.
A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the checkin.php component. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.