Export limit exceeded: 45553 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45553 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2007-0537 | 2 Kde, Redhat | 2 Konqueror, Enterprise Linux | 2026-04-23 | N/A |
| The KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment in a title tag, a related issue to CVE-2007-0478. | ||||
| CVE-2009-2442 | 1 Linea21 | 1 Linea21 | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in public/index.php in Linea21 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the search parameter in a resultats-recherche action. | ||||
| CVE-2008-5011 | 1 Ibm | 2 Lotus, Lotus Domino | 2026-04-23 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Quickr 8.1 before 8.1.0.2 services for Lotus Domino allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to qpconfig_sample.xml, aka SPR CWIR7KMPVP and THES7F9NVR, a different vulnerability than CVE-2008-2163 and CVE-2008-3860. | ||||
| CVE-2009-3206 | 2 Drewish, Drupal | 2 Imagecache, Drupal | 2026-04-23 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, allow remote authenticated users, with "administer imagecache" permissions, to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2008-6360 | 1 Impresscms | 1 Impresscms | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the userranks feature in modules/system/admin.php in ImpressCMS 1.0.2 final allows remote attackers to inject arbitrary web script or HTML via the rank_title parameter. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2008-6891 | 1 Codetoad | 1 Asp Forum Script | 2026-04-23 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ASP Forum Script allow remote attackers to inject arbitrary web script or HTML via the (1) forum_id parameter to (a) new_message.asp and (b) messages.asp, and the (2) query string to default.asp. | ||||
| CVE-2026-4919 | 1 Ibm | 1 Guardium Data Protection | 2026-04-23 | 4.8 Medium |
| IBM Guardium Data Protection 12.1 is vulnerable to cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2026-4918 | 1 Ibm | 1 Guardium Data Protection | 2026-04-23 | 5.5 Medium |
| IBM Guardium Data Protection 12.1 is vulnerable to stored cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2026-2352 | 2 Optimizingmatters, Wordpress | 2 Autooptimize, Wordpress | 2026-04-22 | 6.4 Medium |
| The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_preload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the `ao_metabox_save()` function and missing output escaping when the value is rendered into a `<link>` tag in `autoptimizeImages.php`. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted the "Image optimization" or "Lazy-load images" setting is enabled in the plugin configuration. | ||||
| CVE-2026-1647 | 2 Basiliskan, Wordpress | 2 Comment Genius, Wordpress | 2026-04-22 | 6.1 Medium |
| The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-2440 | 2 Devsoftbaltic, Wordpress | 2 Surveyjs Drag Drop Wordpress Form Builder, Wordpress | 2026-04-22 | 7.2 High |
| The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context. | ||||
| CVE-2026-2512 | 2 Davidartiss, Wordpress | 2 Code Embed, Wordpress | 2026-04-22 | 6.4 Medium |
| The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function `sec_check_post_fields()` only running on the `save_post` hook, while WordPress allows custom fields to be added via the `wp_ajax_add_meta` AJAX endpoint without triggering `save_post`. The `ce_filter()` function then outputs these unsanitized meta values directly into page content without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-67618 | 2 Artstudioworks, Wordpress | 2 Brookside, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.This issue affects Brookside: from n/a through 1.4. | ||||
| CVE-2024-31119 | 2 Vasilis Triantafyllou, Wordpress | 2 Special Box For Content, Wordpress | 2026-04-22 | 5.9 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Vasilis Triantafyllou Special Box for Content allows DOM-Based XSS.This issue affects Special Box for Content: from n/a through 1. | ||||
| CVE-2025-53222 | 2 Tagdiv, Wordpress | 2 Opt In Builder, Wordpress | 2026-04-22 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.3. | ||||
| CVE-2025-50001 | 2 Tagdiv, Wordpress | 2 Tagdiv Composer, Wordpress | 2026-04-22 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2. | ||||
| CVE-2026-2432 | 2 Creativemindssolutions, Wordpress | 2 Cm Custom Reports – Flexible Reporting To Track What Matters Most, Wordpress | 2026-04-22 | 4.4 Medium |
| The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-4495 | 1 Atjiu | 1 Pybbs | 2026-04-22 | 3.5 Low |
| A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-3512 | 2 Alhadeff, Wordpress | 2 Writeprint Stylometry, Wordpress | 2026-04-22 | 6.1 Medium |
| The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'p' GET parameter in all versions up to and including 0.1. This is due to insufficient input sanitization and output escaping in the bjl_wprintstylo_comments_nav() function. The function directly outputs the $_GET['p'] parameter into an HTML href attribute without any escaping. This makes it possible for authenticated attackers with Contributor-level permissions or higher to inject arbitrary web scripts in pages that execute if they can successfully trick another user into performing an action such as clicking on a link. | ||||
| CVE-2026-4083 | 2 Demonisblack, Wordpress | 2 Scoreboard For Html5 Games Lite, Wordpress | 2026-04-22 | 6.4 Medium |
| The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhg_shortcode() allows arbitrary HTML attributes to be added to the rendered <iframe> element, with only a small blacklist of four attribute names (same_height_as, onload, onpageshow, onclick) being blocked. While the attribute names are passed through esc_html() and values through esc_attr(), this does not prevent injection of JavaScript event handler attributes like onfocus, onmouseover, onmouseenter, etc., because these attribute names and simple JavaScript payloads contain no characters that would be modified by these escaping functions. The shortcode text is stored in post_content and is only expanded to HTML at render time, after WordPress's kses filtering has already been applied to the raw post content. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||