Total
41582 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-30899 | 1 Wpeverest | 1 User Registration \& Membership | 2026-01-20 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration allows Stored XSS. This issue affects User Registration: from n/a through 4.0.3. | |||||
| CVE-2025-11966 | 1 Eclipse | 1 Vert.x | 2026-01-20 | N/A | 6.4 MEDIUM |
| In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing. | |||||
| CVE-2026-22787 | 2026-01-20 | N/A | N/A | ||
| html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0. | |||||
| CVE-2021-36833 | 1 Ibericode | 1 Mailchimp For Wordpress | 2026-01-20 | 3.5 LOW | 4.8 MEDIUM |
| Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress. | |||||
| CVE-2024-58297 | 1 Pyrocms | 1 Pyrocms | 2026-01-20 | N/A | 5.4 MEDIUM |
| PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the redirects page. | |||||
| CVE-2025-56154 | 1 Htmly | 1 Htmly | 2026-01-20 | N/A | 6.1 MEDIUM |
| htmly v3.0.8 is vulnerable to Cross Site Scripting (XSS) in the /author/:name endpoint of the affected application. The name parameter is not properly sanitized before being reflected in the HTML response, allowing attackers to inject arbitrary JavaScript payloads. | |||||
| CVE-2025-37185 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2026-01-20 | N/A | 5.5 MEDIUM |
| Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host. | |||||
| CVE-2025-65229 | 1 Lyrion | 1 Lyrion Music Server | 2026-01-20 | N/A | 4.6 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page. | |||||
| CVE-2021-39332 | 1 Bzmngr | 1 Business Manager | 2026-01-20 | 2.1 LOW | 5.5 MEDIUM |
| The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2025-61674 | 1 Octobercms | 1 October | 2026-01-20 | N/A | 6.1 MEDIUM |
| October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12. | |||||
| CVE-2025-61676 | 1 Octobercms | 1 October | 2026-01-20 | N/A | 6.1 MEDIUM |
| October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12. | |||||
| CVE-2025-67834 | 1 Paessler | 1 Prtg Network Monitor | 2026-01-20 | N/A | 5.4 MEDIUM |
| Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the filter parameter. | |||||
| CVE-2025-67833 | 1 Paessler | 1 Prtg Network Monitor | 2026-01-20 | N/A | 6.1 MEDIUM |
| Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the tag parameter. | |||||
| CVE-2025-6324 | 2026-01-20 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.This issue affects Easy Invoice: from n/a through <= 2.0.9. | |||||
| CVE-2025-69362 | 2026-01-20 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH UiChemy uichemy allows Stored XSS.This issue affects UiChemy: from n/a through <= 4.4.2. | |||||
| CVE-2025-69360 | 2026-01-20 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.11.0. | |||||
| CVE-2025-69357 | 2026-01-20 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. | |||||
| CVE-2025-69350 | 2026-01-20 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion accordions-wp allows Stored XSS.This issue affects Accordion: from n/a through <= 3.0.3. | |||||
| CVE-2025-69335 | 2026-01-20 | N/A | 5.4 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9. | |||||
| CVE-2025-69334 | 2026-01-20 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce wish-list-for-woocommerce allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 3.3.0. | |||||