Total
41566 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24778 | 1 Ghost | 2 Ghost, Portal | 2026-02-02 | N/A | 8.8 HIGH |
| Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version. | |||||
| CVE-2026-23841 | 1 Leepeuker | 1 Movary | 2026-02-02 | N/A | 9.3 CRITICAL |
| Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue. | |||||
| CVE-2026-23516 | 1 Cvat | 1 Cvat | 2026-02-02 | N/A | 5.4 MEDIUM |
| CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue. | |||||
| CVE-2018-7543 | 1 Awesomemotive | 1 Duplicator | 2026-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the json parameter. | |||||
| CVE-2025-59935 | 1 Glpi-project | 1 Glpi | 2026-02-02 | N/A | 6.5 MEDIUM |
| GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch. | |||||
| CVE-2026-24127 | 1 Typemill | 1 Typemill | 2026-02-02 | N/A | 5.4 MEDIUM |
| Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2. | |||||
| CVE-2026-1446 | 1 Esri | 1 Arcgis Pro | 2026-02-02 | N/A | 5.0 MEDIUM |
| There is a Cross Site Scripting issue in Esri ArcGIS Pro versions 3.6.0 and earlier. A local attacker could supply malicious strings into ArcGIS Pro which may execute when a specific dialog is opened. This issue is fixed in ArcGIS Pro 3.6.1. | |||||
| CVE-2026-25154 | 2026-01-30 | N/A | 6.1 MEDIUM | ||
| LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch. | |||||
| CVE-2026-1705 | 2026-01-30 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. | |||||
| CVE-2025-27924 | 1 Nintex | 1 Automation | 2026-01-30 | N/A | 5.4 MEDIUM |
| Nintex Automation 5.6 and 5.7 before 5.8 has a stored XSS issue associated with the "Navigate to a URL" action. | |||||
| CVE-2024-24506 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function. | |||||
| CVE-2023-33940 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL. | |||||
| CVE-2023-33939 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. | |||||
| CVE-2023-33944 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field. | |||||
| CVE-2023-33943 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field. | |||||
| CVE-2025-13505 | 1 Datateam | 1 Datactive | 2026-01-30 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Datateam Information Technologies Inc. Datactive allows Stored XSS.This issue affects Datactive: from 2.13.34 before 2.14.0.6. | |||||
| CVE-2023-50836 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ibericode HTML Forms allows Stored XSS.This issue affects HTML Forms: from n/a through 1.3.28. | |||||
| CVE-2024-6243 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | N/A | 4.8 MEDIUM |
| The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled. | |||||
| CVE-2025-46236 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms allows Stored XSS. This issue affects HTML Forms: from n/a through 1.5.2. | |||||
| CVE-2026-21642 | 1 Aquaplatform | 1 Revive Adserver | 2026-01-30 | N/A | 6.1 MEDIUM |
| HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | |||||