XSS
Monthly
wphocus My auctions allegro my-auctions-allegro-free-edition is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5. [CVSS 7.1 HIGH]
ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor is affected by cross-site scripting (xss) (CVSS 5.4).
SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker is affected by cross-site scripting (xss) (CVSS 5.9).
adamlabs WordPress Photo Gallery photo-gallery-portfolio is affected by cross-site scripting (xss) (CVSS 6.1).
flexostudio flexo-posts-manager flexo-posts-manager is affected by cross-site scripting (xss) (CVSS 6.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS.This issue affects Restaurante: from n/a through <= 3.0.7. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS.This issue affects xSmart: from n/a through <= 1.2.9.4. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS.This issue affects Pondol BBS: from n/a through <= 1.1.8.4. [CVSS 5.4 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40. [CVSS 6.1 MEDIUM]
LambertGroup Accordion Slider PRO accordion_slider_pro is affected by cross-site scripting (xss) (CVSS 6.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS.This issue affects xPromoter: from n/a through <= 1.3.4. [CVSS 6.1 MEDIUM]
highwarden Super Interactive Maps super-interactive-maps is affected by cross-site scripting (xss) (CVSS 6.1).
LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel is affected by cross-site scripting (xss) (CVSS 6.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS.This issue affects Magic Slider: from n/a through <= 2.2. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS.This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. [CVSS 6.1 MEDIUM]
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through <= 8.3.7. [CVSS 6.1 MEDIUM]
Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks is affected by cross-site scripting (xss) (CVSS 5.4).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS.This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. [CVSS 6.1 MEDIUM]
LambertGroup HTML5 Video Player lbg-vp2-html5-bottom is affected by cross-site scripting (xss) (CVSS 6.1).
Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS.This issue affects Hotel Guest Hotspot: through 22012026. [CVSS 5.5 MEDIUM]
Horilla HRMS version 1.4.0 contains insufficient input validation in its XSS prevention function, allowing attackers to bypass protections through context-agnostic regex patterns. Public exploit code exists for this vulnerability, enabling attackers to redirect users to malicious sites, execute arbitrary JavaScript, and steal CSRF tokens for use in admin-targeted attacks. The vulnerability affects Horilla 1.4.0 and has been patched in version 1.5.0.
Horilla versions up to 1.5.0 is affected by unrestricted upload of file with dangerous type (CVSS 5.4).
HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content. [CVSS 7.6 HIGH]
A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. [CVSS 6.8 MEDIUM]
Stored XSS in Group-Office through unsanitized filenames allows authenticated users to inject malicious scripts that execute when other users view affected files, potentially compromising sessions or triggering unintended browser actions. The vulnerability affects versions 6.8.148 and below, and 25.0.1 through 25.0.79, with public exploit code available. Patches are available in versions 6.8.149 and 25.0.80.
Stored XSS in Docmost 0.3.0-0.23.2 allows authenticated users to execute arbitrary JavaScript in the browsers of document viewers through malicious Mermaid diagram code blocks. The vulnerability exists because unsanitized SVG/HTML output from Mermaid rendering is directly injected into the DOM, and Mermaid's security controls can be disabled via diagram directives. Public exploit code exists for this vulnerability, which is fixed in version 0.24.0.
Stored XSS in Argo Workflows artifact directory listing (versions prior to 3.6.17 and 3.7.8) allows workflow authors to inject malicious JavaScript that executes in other users' browsers under the Argo Server origin. An attacker can leverage the victim's session to perform API actions and access resources with their privileges. Public exploit code exists for this vulnerability; patched versions are available.
Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG files containing JavaScript that execute in users' browsers when served from the same domain as the dashboard, potentially allowing token theft. An attacker with staff privileges could craft script injections to compromise other staff members' sessions and access tokens. This vulnerability affects deployments where media files are hosted on the same domain as the dashboard and patches are available in versions 3.20.108, 3.21.43, and 3.22.27.
Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]
fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]
5ire AI assistant desktop application prior to version 0.10.0 has an output encoding vulnerability that allows malicious AI model responses to execute code through the Electron renderer.
VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. [CVSS 7.2 HIGH]
GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. [CVSS 5.4 MEDIUM]
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. [CVSS 5.3 MEDIUM]
Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. [CVSS 7.2 HIGH]
Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. [CVSS 7.2 HIGH]
Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. [CVSS 7.2 HIGH]
OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. [CVSS 5.4 MEDIUM]
Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts by exploiting insufficient input validation. Successful exploitation enables arbitrary script execution within the management interface context or theft of sensitive browser-based information from authorized users. No patch is currently available; exploitation requires high-level privileges and user interaction.
Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts that execute in the context of other users' browsers, potentially enabling session hijacking or sensitive data theft. The vulnerability stems from inadequate input validation on specific interface pages and requires high-privilege account access and user interaction to exploit. No patch is currently available for this medium-severity issue (CVSS 4.8).
The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Revive Adserver's afr.php script contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through crafted URLs targeting logged-in administrators. An attacker can exploit this to execute arbitrary JavaScript in an admin's browser session, potentially leading to unauthorized actions or credential theft. No patch is currently available for this vulnerability.
Revive Adserver's banner-acl.php script contains a reflected cross-site scripting vulnerability that allows attackers to execute arbitrary scripts in the browsers of authenticated administrators through a crafted URL. An attacker can inject malicious HTML payloads into vulnerable parameters, which execute when an admin visits the malicious link, potentially compromising administrative sessions and server configuration. No patch is currently available for this vulnerability.
Revive Adserver's banner-acl.php and channel-acl.php scripts contain reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary JavaScript in an administrator's browser by crafting malicious URLs. An authenticated attacker can exploit this to perform actions with administrative privileges if a logged-in admin visits the crafted link. No patch is currently available for this vulnerability affecting PHP-based Revive Adserver installations.
Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. [CVSS 6.1 MEDIUM]
WorklogPRO - Jira Timesheets plugin in the Jira Data Center versions up to 4.24.2 is affected by cross-site scripting (xss) (CVSS 6.1).
IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]
IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 6.4 MEDIUM]
IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]
Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 5.4).
Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 6.1).
Stored cross-site scripting in FlatPM - Ad Manager plugin for WordPress up to version 3.2.2 allows authenticated contributors and higher-privileged users to inject malicious scripts through the rank_math_description field due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing affected pages, potentially enabling credential theft, session hijacking, or other client-side attacks. No patch is currently available for this vulnerability.
Stored XSS in WordPress Head Meta Data plugin (versions up to 20251118) allows authenticated contributors and above to inject malicious scripts into post metadata that execute when users visit affected pages, due to inadequate input sanitization. An attacker with contributor-level access can exploit insufficient output escaping to persistently compromise page content across all site visitors. No patch is currently available for this vulnerability.
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7App functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyEmail functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyRoute functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the notifynewstudy functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyCoercion functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyAeTitle functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the autoPurge functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyAutopurgeFilter functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the emailfailedjob functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the downloadZip functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]
HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter.
Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'.
Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).
wphocus My auctions allegro my-auctions-allegro-free-edition is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5. [CVSS 7.1 HIGH]
ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor is affected by cross-site scripting (xss) (CVSS 5.4).
SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker is affected by cross-site scripting (xss) (CVSS 5.9).
adamlabs WordPress Photo Gallery photo-gallery-portfolio is affected by cross-site scripting (xss) (CVSS 6.1).
flexostudio flexo-posts-manager flexo-posts-manager is affected by cross-site scripting (xss) (CVSS 6.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS.This issue affects Restaurante: from n/a through <= 3.0.7. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS.This issue affects xSmart: from n/a through <= 1.2.9.4. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS.This issue affects Pondol BBS: from n/a through <= 1.1.8.4. [CVSS 5.4 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40. [CVSS 6.1 MEDIUM]
LambertGroup Accordion Slider PRO accordion_slider_pro is affected by cross-site scripting (xss) (CVSS 6.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS.This issue affects xPromoter: from n/a through <= 1.3.4. [CVSS 6.1 MEDIUM]
highwarden Super Interactive Maps super-interactive-maps is affected by cross-site scripting (xss) (CVSS 6.1).
LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel is affected by cross-site scripting (xss) (CVSS 6.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS.This issue affects Magic Slider: from n/a through <= 2.2. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS.This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. [CVSS 6.1 MEDIUM]
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through <= 8.3.7. [CVSS 6.1 MEDIUM]
Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks is affected by cross-site scripting (xss) (CVSS 5.4).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS.This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. [CVSS 6.1 MEDIUM]
LambertGroup HTML5 Video Player lbg-vp2-html5-bottom is affected by cross-site scripting (xss) (CVSS 6.1).
Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS.This issue affects Hotel Guest Hotspot: through 22012026. [CVSS 5.5 MEDIUM]
Horilla HRMS version 1.4.0 contains insufficient input validation in its XSS prevention function, allowing attackers to bypass protections through context-agnostic regex patterns. Public exploit code exists for this vulnerability, enabling attackers to redirect users to malicious sites, execute arbitrary JavaScript, and steal CSRF tokens for use in admin-targeted attacks. The vulnerability affects Horilla 1.4.0 and has been patched in version 1.5.0.
Horilla versions up to 1.5.0 is affected by unrestricted upload of file with dangerous type (CVSS 5.4).
HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content. [CVSS 7.6 HIGH]
A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. [CVSS 6.8 MEDIUM]
Stored XSS in Group-Office through unsanitized filenames allows authenticated users to inject malicious scripts that execute when other users view affected files, potentially compromising sessions or triggering unintended browser actions. The vulnerability affects versions 6.8.148 and below, and 25.0.1 through 25.0.79, with public exploit code available. Patches are available in versions 6.8.149 and 25.0.80.
Stored XSS in Docmost 0.3.0-0.23.2 allows authenticated users to execute arbitrary JavaScript in the browsers of document viewers through malicious Mermaid diagram code blocks. The vulnerability exists because unsanitized SVG/HTML output from Mermaid rendering is directly injected into the DOM, and Mermaid's security controls can be disabled via diagram directives. Public exploit code exists for this vulnerability, which is fixed in version 0.24.0.
Stored XSS in Argo Workflows artifact directory listing (versions prior to 3.6.17 and 3.7.8) allows workflow authors to inject malicious JavaScript that executes in other users' browsers under the Argo Server origin. An attacker can leverage the victim's session to perform API actions and access resources with their privileges. Public exploit code exists for this vulnerability; patched versions are available.
Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG files containing JavaScript that execute in users' browsers when served from the same domain as the dashboard, potentially allowing token theft. An attacker with staff privileges could craft script injections to compromise other staff members' sessions and access tokens. This vulnerability affects deployments where media files are hosted on the same domain as the dashboard and patches are available in versions 3.20.108, 3.21.43, and 3.22.27.
Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]
fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]
5ire AI assistant desktop application prior to version 0.10.0 has an output encoding vulnerability that allows malicious AI model responses to execute code through the Electron renderer.
VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. [CVSS 7.2 HIGH]
GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. [CVSS 5.4 MEDIUM]
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. [CVSS 5.3 MEDIUM]
Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. [CVSS 7.2 HIGH]
Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. [CVSS 7.2 HIGH]
Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. [CVSS 7.2 HIGH]
OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. [CVSS 5.4 MEDIUM]
Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts by exploiting insufficient input validation. Successful exploitation enables arbitrary script execution within the management interface context or theft of sensitive browser-based information from authorized users. No patch is currently available; exploitation requires high-level privileges and user interaction.
Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts that execute in the context of other users' browsers, potentially enabling session hijacking or sensitive data theft. The vulnerability stems from inadequate input validation on specific interface pages and requires high-privilege account access and user interaction to exploit. No patch is currently available for this medium-severity issue (CVSS 4.8).
The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Revive Adserver's afr.php script contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through crafted URLs targeting logged-in administrators. An attacker can exploit this to execute arbitrary JavaScript in an admin's browser session, potentially leading to unauthorized actions or credential theft. No patch is currently available for this vulnerability.
Revive Adserver's banner-acl.php script contains a reflected cross-site scripting vulnerability that allows attackers to execute arbitrary scripts in the browsers of authenticated administrators through a crafted URL. An attacker can inject malicious HTML payloads into vulnerable parameters, which execute when an admin visits the malicious link, potentially compromising administrative sessions and server configuration. No patch is currently available for this vulnerability.
Revive Adserver's banner-acl.php and channel-acl.php scripts contain reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary JavaScript in an administrator's browser by crafting malicious URLs. An authenticated attacker can exploit this to perform actions with administrative privileges if a logged-in admin visits the crafted link. No patch is currently available for this vulnerability affecting PHP-based Revive Adserver installations.
Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. [CVSS 6.1 MEDIUM]
WorklogPRO - Jira Timesheets plugin in the Jira Data Center versions up to 4.24.2 is affected by cross-site scripting (xss) (CVSS 6.1).
IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]
IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 6.4 MEDIUM]
IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]
Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 5.4).
Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 6.1).
Stored cross-site scripting in FlatPM - Ad Manager plugin for WordPress up to version 3.2.2 allows authenticated contributors and higher-privileged users to inject malicious scripts through the rank_math_description field due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing affected pages, potentially enabling credential theft, session hijacking, or other client-side attacks. No patch is currently available for this vulnerability.
Stored XSS in WordPress Head Meta Data plugin (versions up to 20251118) allows authenticated contributors and above to inject malicious scripts into post metadata that execute when users visit affected pages, due to inadequate input sanitization. An attacker with contributor-level access can exploit insufficient output escaping to persistently compromise page content across all site visitors. No patch is currently available for this vulnerability.
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7App functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyEmail functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyRoute functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the notifynewstudy functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyCoercion functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyAeTitle functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the autoPurge functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyAutopurgeFilter functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the emailfailedjob functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the downloadZip functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]
The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]
HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter.
Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'.
Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).