Export limit exceeded: 358869 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46718 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8071 | 2 Cleantalk, Wordpress | 2 Spam Protection, Wordpress | 2026-06-10 | 8.8 High |
| The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post. | ||||
| CVE-2026-9060 | 2 Store Locator Wordpress, Wordpress | 2 Store Locator Wordpress, Wordpress | 2026-06-10 | 3.5 Low |
| The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page). | ||||
| CVE-2026-8613 | 2 Athemes, Wordpress | 2 Athemes Addons For Elementor, Wordpress | 2026-06-10 | 6.4 Medium |
| The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget. | ||||
| CVE-2026-47281 | 1 Microsoft | 1 Visual Studio Code | 2026-06-10 | 9.6 Critical |
| Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-11434 | 1 Fluentcms | 1 Fluentcms | 2026-06-10 | 2.4 Low |
| A weakness has been identified in FluentCMS 0.0.5. The impacted element is an unknown function of the file /admin/blocks of the component Blocks Plugin. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-11660 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-06-10 | 8.3 High |
| Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2019-25737 | 2 Screets, Wordpress | 2 Live Chat Unlimited, Wordpress | 2026-06-10 | 6.1 Medium |
| Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie theft or forced redirects to malicious websites. | ||||
| CVE-2019-25744 | 2 Popup Builder, Wordpress | 2 Popup Builder, Wordpress | 2026-06-10 | 5.4 Medium |
| WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads in the post_title field that execute when pages or posts display popup selections. | ||||
| CVE-2019-25743 | 2 Soliloquywp, Wordpress | 2 Soliloquy Lite, Wordpress | 2026-06-10 | 5.4 Medium |
| WordPress Soliloquy Lite 2.5.6 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting script tags in the post title field. Attackers can submit POST requests to the post editing endpoint with script payloads in the post_title parameter, which are stored and executed when users preview the post. | ||||
| CVE-2019-25742 | 2 Fruitfulcode, Wordpress | 2 Zoner Real Estate, Wordpress | 2026-06-10 | 5.4 Medium |
| WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when creating properties. Attackers can inject JavaScript payloads in the property creation form that execute when administrators view the property for approval, enabling cookie theft and session hijacking. | ||||
| CVE-2019-25739 | 1 Gigtodoscript | 1 Gigtodo | 2026-06-10 | 5.4 Medium |
| GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the create_proposal endpoint that execute when administrators or other users view the stored proposal, enabling cookie theft and malicious redirects. | ||||
| CVE-2019-25731 | 1 Zuz | 1 Zuz Music | 2026-06-10 | 6.1 Medium |
| Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface. | ||||
| CVE-2018-25384 | 1 Wikidforum | 1 Wikidforum | 2026-06-10 | 5.4 Medium |
| Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users' browsers when viewing forum replies. | ||||
| CVE-2026-36728 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-06-10 | 5.4 Medium |
| A markdown based cross-site scripting (XSS) vulnerability in the AI assistant chat function of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a chat message. | ||||
| CVE-2026-41098 | 1 Microsoft | 1 Azure Stack Edge | 2026-06-09 | 8.4 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Stack Edge allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2026-8599 | 2 Mailerpress, Wordpress | 2 Mailerpress – Email Marketing, Newsletter, Email Automation & Woocommerce Emails, Wordpress | 2026-06-09 | 6.4 Medium |
| The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview. | ||||
| CVE-2026-11237 | 1 Google | 1 Chrome | 2026-06-09 | 8.3 High |
| Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-29170 | 2 Apache, Apache Software Foundation | 2 Http Server, Apache Http Server | 2026-06-09 | 6.1 Medium |
| A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue. | ||||
| CVE-2026-47900 | 1 Logseq | 1 Logseq | 2026-06-09 | N/A |
| Logseq is vulnerable to a stored cross-site scripting (XSS). A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch. | ||||
| CVE-2026-8895 | 2 Kenz60, Wordpress | 2 Kk Blog Card, Wordpress | 2026-06-09 | 6.4 Medium |
| The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are concatenated directly into HTML attribute contexts in the shortcode callback registered in kk-blog-card-shortcode.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||