Total
41596 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-41836 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 3.5 LOW |
| An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0, FortiSandbox 4.2.1 through 4.2.4, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0.4 through 3.0.7 allows attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
| CVE-2025-32379 | 1 Koajs | 1 Koa | 2026-01-14 | N/A | 5.0 MEDIUM |
| Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5. | |||||
| CVE-2024-27781 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 7.1 HIGH |
| An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
| CVE-2023-45587 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 3.5 LOW |
| An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions allows attacker to execute unauthorized code or commands via crafted HTTP requests | |||||
| CVE-2023-41844 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 3.5 LOW |
| A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0.4 and above allows attacker to execute unauthorized code or commands via crafted HTTP requests in capture traffic endpoint. | |||||
| CVE-2023-41843 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 7.5 HIGH |
| A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
| CVE-2023-41681 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 7.5 HIGH |
| A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
| CVE-2023-41680 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 7.5 HIGH |
| A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
| CVE-2025-31366 | 1 Fortinet | 3 Fortios, Fortiproxy, Fortisase | 2026-01-14 | N/A | 4.7 MEDIUM |
| An Improper Neutralization of Input During Web Page Generation vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSASE 25.2.a may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) via crafted HTTP requests. | |||||
| CVE-2025-62482 | 1 Zoom | 2 Meeting Software Development Kit, Workplace Desktop | 2026-01-13 | N/A | 4.3 MEDIUM |
| Cross-site scripting in Zoom Workplace for Windows before version 6.5.10 may allow an unauthenticated user to impact integrity via network access. | |||||
| CVE-2025-15452 | 1 Wang.market | 1 Wangmarket | 2026-01-13 | 3.3 LOW | 2.4 LOW |
| A weakness has been identified in xnx3 wangmarket up to 4.9. This affects the function variableList of the file /admin/system/variableList.do of the component Backend Variable Search. Executing a manipulation of the argument Description can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15451 | 1 Wang.market | 1 Wangmarket | 2026-01-13 | 3.3 LOW | 2.4 LOW |
| A security flaw has been discovered in xnx3 wangmarket up to 4.9. Affected by this issue is some unknown functionality of the file /admin/system/variableSave.do of the component System Variables Page. Performing a manipulation of the argument Description results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-49306 | 1 Catchsquare | 1 Wp Social Widget | 2026-01-13 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.3. | |||||
| CVE-2025-68457 | 1 Boscop | 1 Orejime | 2026-01-13 | N/A | 6.1 MEDIUM |
| Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding `javascript:` code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed ones (i.e. `data-href` into `href`), thus executing the code. This shouldn't have any impact on most setups, as elements handled by Orejime are generally hardcoded. The problem would only arise if somebody could inject HTML code within pages. The problem has been patched in version 2.3.2. As a workaround, the problem can be fixed outside of Orejime by sanitizing attributes which could contain executable code. | |||||
| CVE-2025-0717 | 1 Cm-wp | 1 Social Slider Widget | 2026-01-13 | N/A | 3.5 LOW |
| To exploit the vulnerability, it is necessary: | |||||
| CVE-2025-30610 | 1 Catchsquare | 1 Wp Social Widget | 2026-01-13 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.2.6. | |||||
| CVE-2024-27189 | 1 Catchsquare | 1 Wp Social Widget | 2026-01-13 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS.This issue affects WP Social Widget: from n/a through 2.2.5. | |||||
| CVE-2022-50787 | 1 Sound4 | 17 Big Voice2, Big Voice2 Firmware, Big Voice4 and 14 more | 2026-01-13 | N/A | 7.2 HIGH |
| SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains an unauthenticated stored cross-site scripting vulnerability in the username parameter that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated username input to execute arbitrary HTML and JavaScript code in victim browser sessions without authentication. | |||||
| CVE-2026-0627 | 2026-01-13 | N/A | 6.4 MEDIUM | ||
| The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file. | |||||
| CVE-2026-22714 | 2026-01-13 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39. | |||||