Skip to main content

CWE-692

Incomplete Denylist to Cross-Site Scripting

4 CVEs Avg CVSS 5.3 MITRE
0
CRITICAL
0
HIGH
4
MEDIUM
0
LOW
2
POC
0
KEV

Monthly

CVE-2026-15295 MEDIUM This Month

Stored Cross-Site Scripting in the Ajax Load More WordPress plugin (versions through 7.0.1) allows authenticated administrators to inject persistent malicious scripts into pages served to other users. The vulnerability stems from insufficient input sanitization and output escaping in admin-facing settings fields. Exploitation is constrained to WordPress multisite environments or sites with unfiltered_html disabled, and no public exploit or KEV listing exists at time of analysis, keeping real-world risk moderate despite the network-accessible vector.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2025-20240 MEDIUM This Month

A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Apple XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-49590 MEDIUM POC PATCH This Month

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

XSS Cryptpad
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-30924 MEDIUM POC This Month

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the checkin.php component. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP XSS Derbynet
NVD
CVSS 3.1
4.6
EPSS
0.3%
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ajax Load More WordPress plugin (versions through 7.0.1) allows authenticated administrators to inject persistent malicious scripts into pages served to other users. The vulnerability stems from insufficient input sanitization and output escaping in admin-facing settings fields. Exploitation is constrained to WordPress multisite environments or sites with unfiltered_html disabled, and no public exploit or KEV listing exists at time of analysis, keeping real-world risk moderate despite the network-accessible vector.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Apple XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

XSS Cryptpad
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC This Month

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the checkin.php component. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP XSS +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy