Total
41574 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-47769 | 1 Bdtask | 1 Isshue | 2026-01-26 | N/A | 4.8 MEDIUM |
| Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks. | |||||
| CVE-2025-8460 | 1 Centreon | 1 Open Tickets | 2026-01-26 | N/A | 6.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | |||||
| CVE-2024-54123 | 1 Backdropcms | 1 Backdrop | 2026-01-26 | N/A | 6.1 MEDIUM |
| Backdrop CMS before 1.28.4 and 1.29.x before 1.29.2 allows XSS via an SVG document, if the SVG tag is allowed for a text format. | |||||
| CVE-2025-12511 | 1 Centreon | 1 Dynamic Service Management | 2026-01-26 | N/A | 6.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (DSM extenstio configuration modules) allows Stored XSS to user with elevated privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.1, from 24.10.0 before 24.10.4, from 24.04.0 before 24.04.8. | |||||
| CVE-2025-24752 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2026-01-26 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor allows Reflected XSS. This issue affects Essential Addons for Elementor: from n/a through 6.0.14. | |||||
| CVE-2025-12746 | 2026-01-26 | N/A | 6.1 MEDIUM | ||
| The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-57277 | 2026-01-26 | N/A | 5.7 MEDIUM | ||
| InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting (XSS) via SVG file upload. | |||||
| CVE-2024-41345 | 1 Jpatokal | 1 Openflights | 2026-01-26 | N/A | 5.4 MEDIUM |
| openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/trip.php | |||||
| CVE-2022-26573 | 1 Maccms | 1 Maccms | 2026-01-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/art/data.html via the select and input parameters. | |||||
| CVE-2025-12513 | 1 Centreon | 1 Centreon Web | 2026-01-26 | N/A | 6.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | |||||
| CVE-2025-13056 | 1 Centreon | 1 Centreon Web | 2026-01-26 | N/A | 6.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | |||||
| CVE-2021-47834 | 2026-01-26 | N/A | 6.4 MEDIUM | ||
| Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users. | |||||
| CVE-2021-47835 | 2026-01-26 | N/A | 7.2 HIGH | ||
| Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution. | |||||
| CVE-2021-47837 | 2026-01-26 | N/A | 7.2 HIGH | ||
| Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution. | |||||
| CVE-2025-31510 | 2026-01-26 | N/A | 7.2 HIGH | ||
| In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. | |||||
| CVE-2026-23528 | 2026-01-26 | N/A | N/A | ||
| Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. | |||||
| CVE-2021-47838 | 2026-01-26 | N/A | 7.2 HIGH | ||
| Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim's system. | |||||
| CVE-2021-47836 | 2026-01-26 | N/A | 6.1 MEDIUM | ||
| Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access. | |||||
| CVE-2021-47840 | 2026-01-26 | N/A | 7.2 HIGH | ||
| Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim's system. | |||||
| CVE-2021-47844 | 2026-01-26 | N/A | 6.1 MEDIUM | ||
| Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening. | |||||