Total
41582 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-53890 | 1 Grabaperch | 1 Perch | 2026-01-23 | N/A | 5.4 MEDIUM |
| Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session information or performing client-side attacks. | |||||
| CVE-2024-24115 | 1 Cotonti | 1 Cotonti Siena | 2026-01-23 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2025-57883 | 1 Groupsession | 1 Groupsession | 2026-01-23 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user. | |||||
| CVE-2025-58025 | 1 Averta | 1 Master Slider | 2026-01-23 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider allows Stored XSS. This issue affects Master Slider: from n/a through 3.11.0. | |||||
| CVE-2025-58234 | 1 Joomsky | 1 Js Job Manager | 2026-01-23 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JoomSky JS Job Manager allows Stored XSS. This issue affects JS Job Manager: from n/a through 2.0.2. | |||||
| CVE-2025-64217 | 1 Themegoods | 1 Photography | 2026-01-22 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Photography photography allows Reflected XSS.This issue affects Photography: from n/a through <= 7.7.2. | |||||
| CVE-2025-66939 | 1 Altumcode | 1 66biolinks | 2026-01-22 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file | |||||
| CVE-2025-67922 | 1 Themegoods | 1 Grand Restaurant | 2026-01-22 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9. | |||||
| CVE-2025-47777 | 1 5ire | 1 5ire | 2026-01-22 | N/A | 9.6 CRITICAL |
| 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue. | |||||
| CVE-2021-47750 | 1 Youphptube | 1 Youphptube | 2026-01-22 | N/A | 6.1 MEDIUM |
| YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page. | |||||
| CVE-2025-58357 | 1 5ire | 1 5ire | 2026-01-22 | N/A | 9.6 CRITICAL |
| 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Version 0.13.2 contains a vulnerability in the chat page's script gadgets that enables content injection attacks through multiple vectors: malicious prompt injection pages, compromised MCP servers, and exploited tool integrations. This is fixed in version 0.14.0. | |||||
| CVE-2025-62969 | 1 Xlplugins | 1 Nextmove | 2026-01-22 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Stored XSS.This issue affects NextMove Lite: from n/a through <= 2.21.0. | |||||
| CVE-2024-32702 | 1 Reputeinfosystems | 1 Arforms | 2026-01-22 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Repute info systems ARForms allows Reflected XSS.This issue affects ARForms: from n/a through 6.4. | |||||
| CVE-2025-10180 | 2026-01-22 | N/A | 6.4 MEDIUM | ||
| The Markdown Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'markdown' shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5591 | 1 Kentico | 1 Xperience | 2026-01-22 | N/A | 5.4 MEDIUM |
| Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. | |||||
| CVE-2025-13761 | 1 Gitlab | 1 Gitlab | 2026-01-22 | N/A | 8.0 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage. | |||||
| CVE-2025-9222 | 1 Gitlab | 1 Gitlab | 2026-01-22 | N/A | 8.7 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. | |||||
| CVE-2026-0580 | 1 Remyandrade | 1 Api Key Manager App | 2026-01-22 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in SourceCodester API Key Manager App 1.0. Affected by this vulnerability is an unknown functionality of the component Import Key Handler. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. | |||||
| CVE-2026-0588 | 1 Rockoa | 1 Rockoa | 2026-01-22 | 4.0 MEDIUM | 3.5 LOW |
| A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-0587 | 1 Rockoa | 1 Rockoa | 2026-01-22 | 4.0 MEDIUM | 3.5 LOW |
| A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. The manipulation of the argument fengmian results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||