Total
41582 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-47381 | 1 Averta | 1 Depicter Slider | 2026-01-23 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Averta Depicter Slider allows Stored XSS.This issue affects Depicter Slider: from n/a through 3.2.2. | |||||
| CVE-2026-1008 | 1 Altium | 1 Altium Live | 2026-01-23 | N/A | 7.6 HIGH |
| A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile. | |||||
| CVE-2020-25761 | 1 Projectworlds | 1 Visitor Management System | 2026-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc. | |||||
| CVE-2026-1009 | 1 Altium | 1 Altium Live | 2026-01-23 | N/A | 9.0 CRITICAL |
| A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post. | |||||
| CVE-2026-1010 | 1 Altium | 1 On-prem Enterprise Server | 2026-01-23 | N/A | 8.0 HIGH |
| A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions. | |||||
| CVE-2017-18536 | 1 Fullworksplugins | 1 Stop User Enumeration | 2026-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS. | |||||
| CVE-2025-15265 | 1 Svelte | 1 Svelte | 2026-01-23 | N/A | 6.1 MEDIUM |
| An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3. | |||||
| CVE-2025-65349 | 1 Eachitaly | 2 Wireless Mini Router Wireless-n 300m, Wireless Mini Router Wireless-n 300m Firmware | 2026-01-23 | N/A | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts via a crafted payload due to unsanitized repeater AP SSID value when is displayed in any page at /index.htm. | |||||
| CVE-2025-25063 | 1 Backdropcms | 1 Backdrop Cms | 2026-01-23 | N/A | 4.4 MEDIUM |
| An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting. | |||||
| CVE-2025-25062 | 1 Backdropcms | 1 Backdrop Cms | 2026-01-23 | N/A | 4.4 MEDIUM |
| An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module. | |||||
| CVE-2026-22919 | 1 Sick | 2 Tdc-x401gl, Tdc-x401gl Firmware | 2026-01-23 | N/A | 3.8 LOW |
| An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data. | |||||
| CVE-2024-50376 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 7.3 HIGH |
| A CWE-79 "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited remotely leveraging a rogue Wi-Fi access point with a malicious SSID. | |||||
| CVE-2026-23769 | 1 Naver | 1 Lucy-xss-filter | 2026-01-23 | N/A | 6.1 MEDIUM |
| lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. | |||||
| CVE-2025-14448 | 1 Cbutlerjr | 1 Wp-members Membership Plugin | 2026-01-23 | N/A | 5.4 MEDIUM |
| The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-22913 | 1 Sick | 2 Tdc-x401gl, Tdc-x401gl Firmware | 2026-01-23 | N/A | 4.3 MEDIUM |
| Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data. | |||||
| CVE-2025-63644 | 1 Ph7builder | 1 Ph7 Social Dating Builder | 2026-01-23 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field. | |||||
| CVE-2025-14556 | 1 Flag Module Project | 1 Flag | 2026-01-23 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. | |||||
| CVE-2025-14557 | 1 Facebook Pixel Project | 1 Facebook Pixel | 2026-01-23 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. | |||||
| CVE-2021-24713 | 1 Cminds | 2 Video Lessons Manager, Video Lessons Manager Pro | 2026-01-23 | 3.5 LOW | 4.8 MEDIUM |
| The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks | |||||
| CVE-2023-31228 | 1 Cminds | 1 Cm Search And Replace | 2026-01-23 | N/A | 5.9 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions. | |||||