Vulnerabilities (CVE)

Filtered by CWE-79
Total 45131 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2026-30560 1 Ahsanriaz26gmailcom 1 Sales And Inventory System 2026-06-17 N/A 6.1 MEDIUM
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_supplier.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2026-30559 1 Ahsanriaz26gmailcom 1 Sales And Inventory System 2026-06-17 N/A 6.1 MEDIUM
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_sales.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2026-30558 1 Ahsanriaz26gmailcom 1 Sales And Inventory System 2026-06-17 N/A 6.1 MEDIUM
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_customer.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2026-30557 1 Ahsanriaz26gmailcom 1 Sales And Inventory System 2026-06-17 N/A 6.1 MEDIUM
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2026-30556 1 Ahsanriaz26gmailcom 1 Sales And Inventory System 2026-06-17 N/A 6.1 MEDIUM
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2026-30527 1 Oretnom23 1 Online Food Ordering System 2026-06-17 N/A 5.4 MEDIUM
A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. When an administrator or user visits the Category list page (or any page where this category is rendered), the injected JavaScript executes immediately in their browser.
CVE-2026-30526 1 Pushpam02 1 Zoo Management System 2026-06-17 N/A 6.1 MEDIUM
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2026-30252 1 Interzen 4 Zencrm, Zenhr, Zenproject and 1 more 2026-06-17 N/A 6.1 MEDIUM
Multiple reflected cross-site scripting (XSS) vulnerabilities in the login.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted URL injected into the codice_azienda and red_url parameters.
CVE-2026-30251 1 Interzen 1 Zenshare Suite 2026-06-17 N/A 6.1 MEDIUM
A reflected cross-site scripting (XSS) vulnerability in the login_newpwd.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted URL injected into the codice_azienda parameter.
CVE-2026-30238 1 Intermesh 1 Group-office 2026-06-17 N/A 6.1 MEDIUM
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
CVE-2026-30237 1 Intermesh 1 Group-office 2026-06-17 N/A 6.1 MEDIUM
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <textarea>, allowing a </textarea><script>...</script> breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
CVE-2026-30235 1 Openproject 1 Openproject 2026-06-17 N/A 6.5 MEDIUM
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0.
CVE-2026-30162 1 Auntvt 1 Timo 2026-06-17 N/A 6.1 MEDIUM
Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field.
CVE-2026-30139 2026-06-17 N/A 6.1 MEDIUM
A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input.
CVE-2026-30048 2026-06-17 N/A 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when the chat history is reloaded. The issue is reproducible across multiple independent implementations of the widget, indicating that the vulnerability resides in the product itself rather than in a specific website configuration.
CVE-2026-2995 1 Gitlab 1 Gitlab 2026-06-17 N/A 7.7 HIGH
GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.
CVE-2026-2988 2026-06-17 N/A 6.4 MEDIUM
The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-2987 2026-06-17 N/A 6.1 MEDIUM
The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in versions up to, and including, 20260217 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-2986 2026-06-17 N/A 6.4 MEDIUM
The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-2973 1 Gitlab 1 Gitlab 2026-06-17 N/A 5.4 MEDIUM
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams.