Total
41593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0913 | 2026-01-16 | N/A | 6.4 MEDIUM | ||
| The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-20894 | 2026-01-16 | N/A | 4.8 MEDIUM | ||
| Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen. | |||||
| CVE-2021-47779 | 2026-01-16 | N/A | 7.2 HIGH | ||
| Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation. | |||||
| CVE-2025-14375 | 2026-01-16 | N/A | 6.1 MEDIUM | ||
| The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-39400 | 1 Wpeverest | 1 User Registration \& Membership | 2026-01-16 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration allows Reflected XSS. This issue affects User Registration: from n/a through n/a. | |||||
| CVE-2024-3677 | 2026-01-16 | N/A | 6.4 MEDIUM | ||
| The Ultimate 410 Gone Status Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 410 entries in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note TinyWeb as a separate Web Browser is not affected, and only shares a name with the author of this plugin. | |||||
| CVE-2025-64325 | 1 Emby | 1 Emby | 2026-01-15 | N/A | 9.0 CRITICAL |
| Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated X-Emby-Client value, which gets added to the devices section of the admin dashboard without sanitization. This issue has been patched in version 4.8.1.0 and Beta version 4.9.0.0-beta. | |||||
| CVE-2026-0671 | 1 Wikimedia | 1 Mediawiki-extensions-uploadwizard | 2026-01-15 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39. | |||||
| CVE-2025-61550 | 1 Edubusinesssolutions | 1 Print Shop Pro Webdesk | 2026-01-15 | N/A | 5.4 MEDIUM |
| Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValue parameters on the /psp/appNet/TemplateOrder/TemplatePreview.aspx endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. User-supplied input is stored and later rendered in HTML pages without proper output encoding or sanitization. This allows attackers to persistently inject arbitrary JavaScript that executes in the context of other users' sessions | |||||
| CVE-2022-44349 | 1 Navblue | 1 N-ops \& Crew | 2026-01-15 | N/A | 5.4 MEDIUM |
| NAVBLUE S.A.S N-Ops & Crew 22.5-rc.50 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2025-63211 | 1 Bridgetech | 1 Vbc Server | 2026-01-15 | N/A | 6.1 MEDIUM |
| Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint. | |||||
| CVE-2023-26692 | 1 Zcbs | 3 Zbbs, Zcbs, Zpbs | 2026-01-15 | N/A | 6.1 MEDIUM |
| ZCBS Zijper Collectie Beheer Systeem (ZCBS), Zijper Publication Management System (ZPBS), and Zijper Image Bank Management System (ZBBS) 4.14k is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2025-65026 | 1 Esm | 1 Esm.sh | 2026-01-15 | N/A | 6.1 MEDIUM |
| esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136. | |||||
| CVE-2026-21873 | 1 Zauberzeug | 1 Nicegui | 2026-01-15 | N/A | 7.2 HIGH |
| NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0. | |||||
| CVE-2026-21872 | 1 Zauberzeug | 1 Nicegui | 2026-01-15 | N/A | 6.1 MEDIUM |
| NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0. | |||||
| CVE-2026-21871 | 1 Zauberzeug | 1 Nicegui | 2026-01-15 | N/A | 6.1 MEDIUM |
| NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0. | |||||
| CVE-2025-3999 | 1 Seeyon | 1 Oa Web Application System | 2026-01-15 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, has been found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. This issue affects some unknown processing of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\common\js\addDate\date.jsp of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4000 | 1 Seeyon | 1 Oa Web Application System | 2026-01-15 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. Affected is an unknown function of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\ssoproxy\jsp\ssoproxy.jsp. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-45832 | 1 Northernbeacheswebsites | 1 Wp Gotowebinar | 2026-01-15 | N/A | 5.9 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Martin Gibson WP GoToWebinar plugin <= 14.45 versions. | |||||
| CVE-2025-15372 | 1 Youlai | 1 Vue3-element-admin | 2026-01-15 | 3.3 LOW | 2.4 LOW |
| A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||