Total
45136 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-30894 | 1 Joomla | 1 Joomla\! | 2026-06-17 | N/A | 6.1 MEDIUM |
| Lack of output escaping leads to a XSS vector in the content history component. | |||||
| CVE-2026-30882 | 1 Chamilo | 1 Chamilo Lms | 2026-06-17 | N/A | 6.1 MEDIUM |
| Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any encoding or sanitization. An attacker can inject arbitrary HTML/JavaScript by breaking out of the attribute context using ">followed by a malicious payload. The vulnerability is triggered when the pagination controls are rendered — which occurs when the number of session categories exceeds 20 (the page limit). This issue has been patched in version 1.11.36. | |||||
| CVE-2026-30879 | 1 Basercms | 1 Basercms | 2026-06-17 | N/A | 6.1 MEDIUM |
| baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3. | |||||
| CVE-2026-30862 | 1 Appsmith | 1 Appsmith | 2026-06-17 | N/A | 9.0 CRITICAL |
| Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover. This vulnerability is fixed in 1.96. | |||||
| CVE-2026-30841 | 1 Wallosapp | 1 Wallos | 2026-06-17 | N/A | 6.1 MEDIUM |
| Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2. | |||||
| CVE-2026-30838 | 1 Thephpleague | 1 Commonmark | 2026-06-17 | N/A | 6.1 MEDIUM |
| league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1. | |||||
| CVE-2026-30830 | 1 Kepano | 1 Defuddle | 2026-06-17 | N/A | 6.1 MEDIUM |
| Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0. | |||||
| CVE-2026-30812 | 1 Artica | 1 Pandora Fms | 2026-06-17 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800 | |||||
| CVE-2026-30691 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode | |||||
| CVE-2026-30661 | 1 Idreamsoft | 1 Icms | 2026-06-17 | N/A | 6.1 MEDIUM |
| iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters. | |||||
| CVE-2026-30587 | 1 Seafile | 1 Seafile Server | 2026-06-17 | N/A | 8.7 HIGH |
| Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags | |||||
| CVE-2026-30586 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting vulnerability in usememos Memos v.0.26.0 allows a remote attacker to obtain sensitive information via the SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo View pages | |||||
| CVE-2026-30579 | 1 Leefish | 1 File Thingie | 2026-06-17 | N/A | 6.5 MEDIUM |
| File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload. | |||||
| CVE-2026-30578 | 1 Leefish | 1 File Thingie | 2026-06-17 | N/A | 6.5 MEDIUM |
| File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code. | |||||
| CVE-2026-30571 | 1 Ahsanriaz26gmailcom | 1 Inventory System | 2026-06-17 | N/A | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2026-30570 | 1 Ahsanriaz26gmailcom | 1 Inventory System | 2026-06-17 | N/A | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL | |||||
| CVE-2026-30569 | 1 Ahsanriaz26gmailcom | 1 Inventory System | 2026-06-17 | N/A | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2026-30568 | 1 Ahsanriaz26gmailcom | 1 Inventory System | 2026-06-17 | N/A | 4.8 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2026-30567 | 1 Ahsanriaz26gmailcom | 1 Inventory System | 2026-06-17 | N/A | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2026-30566 | 1 Ahsanriaz26gmailcom | 1 Sales And Inventory System | 2026-06-17 | N/A | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_customers.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
