Total
41559 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-54341 | 1 Webgrind Project | 1 Webgrind | 2026-02-03 | N/A | 6.1 MEDIUM |
| Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs. | |||||
| CVE-2026-25522 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | |||||
| CVE-2026-25490 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | |||||
| CVE-2026-25489 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | |||||
| CVE-2026-25488 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | |||||
| CVE-2026-25487 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | |||||
| CVE-2026-25486 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2. | |||||
| CVE-2026-25485 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | |||||
| CVE-2026-25484 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2. | |||||
| CVE-2026-25483 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2. | |||||
| CVE-2026-25482 | 2026-02-03 | N/A | N/A | ||
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2. | |||||
| CVE-2026-24958 | 2026-02-03 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2. | |||||
| CVE-2026-24426 | 2026-02-03 | N/A | N/A | ||
| Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim’s browser context. | |||||
| CVE-2025-68891 | 2026-02-03 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5. | |||||
| CVE-2024-56156 | 1 Halo | 1 Halo | 2026-02-03 | N/A | 9.0 CRITICAL |
| Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13. | |||||
| CVE-2026-24952 | 2026-02-03 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Stored XSS.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. | |||||
| CVE-2026-24674 | 2026-02-03 | N/A | 4.7 MEDIUM | ||
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2. | |||||
| CVE-2026-24672 | 2026-02-03 | N/A | 7.3 HIGH | ||
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2. | |||||
| CVE-2026-24671 | 2026-02-03 | N/A | 6.1 MEDIUM | ||
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controllable input fields across the application, which is executed when other users access affected pages. This issue has been patched in version 4.2. | |||||
| CVE-2026-24665 | 2026-02-03 | N/A | 8.7 HIGH | ||
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2. | |||||