Total
41582 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0730 | 1 Phpgurukul | 1 Staff Leave Management System | 2026-01-22 | 3.3 LOW | 2.4 LOW |
| A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. | |||||
| CVE-2025-70890 | 1 Phpgurukul | 1 Cyber Cafe Management System | 2026-01-22 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Cyber Cafe Management System v1.0. An authenticated attacker can inject arbitrary JavaScript code into the username parameter via the add-users.php endpoint. The injected payload is stored and executed in the victim s browser when the affected page is accessed. | |||||
| CVE-2025-70891 | 1 Phpgurukul | 1 Cyber Cafe Management System | 2026-01-22 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Cafe Management System v1.0 within the user management module. The application does not properly sanitize or encode user-supplied input submitted via the uadd parameter in the add-users.php endpoint. An authenticated attacker can inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is triggered when a privileged user clicks the View button on the view-allusers.php page. | |||||
| CVE-2025-65368 | 1 Codewithcj | 1 Sparkyfitness | 2026-01-22 | N/A | 6.1 MEDIUM |
| SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. | |||||
| CVE-2019-25277 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2026-01-22 | N/A | 6.1 MEDIUM |
| FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks. | |||||
| CVE-2024-4392 | 1 Automattic | 1 Jetpack | 2026-01-22 | N/A | 6.4 MEDIUM |
| The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all versions up to, and including, 13.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-66686 | 1 Grabaperch | 1 Perch | 2026-01-21 | N/A | 6.1 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. The injected payload is stored and executed when any authenticated user clicks the Help button, potentially leading to session hijacking, information disclosure, privilege escalation, and unauthorized administrative actions. | |||||
| CVE-2024-30193 | 1 Church Admin Project | 1 Church Admin | 2026-01-21 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andy Moyle Church Admin allows Stored XSS.This issue affects Church Admin: from n/a through 4.1.17. | |||||
| CVE-2024-30197 | 1 Church Admin Project | 1 Church Admin | 2026-01-21 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andy Moyle Church Admin allows Stored XSS.This issue affects Church Admin: from n/a through 4.0.26. | |||||
| CVE-2025-11224 | 1 Gitlab | 1 Gitlab | 2026-01-21 | N/A | 7.7 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. | |||||
| CVE-2025-62068 | 1 E2pdf | 1 E2pdf | 2026-01-21 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in E2Pdf e2pdf e2pdf.This issue affects e2pdf: from n/a through <= 1.28.09. | |||||
| CVE-2025-71164 | 1 Typesettercms | 1 Typesetter | 2026-01-21 | N/A | 5.4 MEDIUM |
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session. | |||||
| CVE-2025-71165 | 1 Typesettercms | 1 Typesetter | 2026-01-21 | N/A | 5.4 MEDIUM |
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | |||||
| CVE-2025-71166 | 1 Typesettercms | 1 Typesetter | 2026-01-21 | N/A | 5.4 MEDIUM |
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | |||||
| CVE-2025-68658 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2026-01-21 | N/A | 4.3 MEDIUM |
| Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission “Configuration: Change OSPOS's Configuration” can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The malicious payload is stored and later triggered when a user accesses /sales/complete. First select Sales, and choose New Item to create an item, then click on Completed . Due to insufficient input validation and output encoding, the payload is rendered and executed in the user’s browser, resulting in a stored XSS vulnerability. This vulnerability is fixed in 3.4.2. | |||||
| CVE-2022-50905 | 1 E107 | 1 E107 | 2026-01-21 | N/A | 9.8 CRITICAL |
| e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS. | |||||
| CVE-2026-22813 | 1 Anoma | 1 Opencode | 2026-01-21 | N/A | 6.1 MEDIUM |
| OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10. | |||||
| CVE-2025-67078 | 1 Agora-project | 1 Agora-project | 2026-01-21 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors. | |||||
| CVE-2023-23354 | 1 Qnap | 4 Qts, Qulog Center, Quts Hero and 1 more | 2026-01-20 | N/A | 7.3 HIGH |
| A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuLog Center 1.5.0.738 ( 2023/03/06 ) and later QuLog Center 1.4.1.691 ( 2023/03/01 ) and later QuLog Center 1.3.1.645 ( 2023/02/22 ) and later | |||||
| CVE-2023-23357 | 1 Qnap | 4 Qts, Qulog Center, Quts Hero and 1 more | 2026-01-20 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuLog Center 1.5.0.738 ( 2023/03/06 ) and later QuLog Center 1.4.1.691 ( 2023/03/01 ) and later QuLog Center 1.3.1.645 ( 2023/02/22 ) and later | |||||