Total
45110 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28756 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2026-06-17 | N/A | 7.3 HIGH |
| Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report. | |||||
| CVE-2026-28754 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2026-06-17 | N/A | 7.3 HIGH |
| Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report. | |||||
| CVE-2026-28703 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2026-06-17 | N/A | 7.3 HIGH |
| Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report. | |||||
| CVE-2026-28683 | 1 Forceu | 1 Gokapi | 2026-06-17 | N/A | 8.7 HIGH |
| Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3. | |||||
| CVE-2026-28561 | 1 Gvectors | 1 Wpforo Forum | 2026-06-17 | N/A | 5.5 MEDIUM |
| wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing. | |||||
| CVE-2026-28560 | 1 Gvectors | 1 Wpforo Forum | 2026-06-17 | N/A | 5.5 MEDIUM |
| wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers. | |||||
| CVE-2026-28558 | 1 Gvectors | 1 Wpforo Forum | 2026-06-17 | N/A | 6.4 MEDIUM |
| wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page. | |||||
| CVE-2026-28509 | 1 Langbot | 1 Langbot | 2026-06-17 | N/A | 6.3 MEDIUM |
| LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting (XSS) vulnerability. This issue has been patched in version 4.8.7. | |||||
| CVE-2026-28499 | 1 Vapor | 1 Leafkit | 2026-06-17 | N/A | 6.1 MEDIUM |
| LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue. | |||||
| CVE-2026-28445 | 2026-06-17 | N/A | 8.7 HIGH | ||
| Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere in the codebase (e.g., StreamingBubble.tsx). Because rating blocks are not flagged as isUnsafe by the import sanitizer and the builder preview renders bots inline on the builder's own origin (builder.typebot.io) under a CSP permitting 'unsafe-inline', a malicious imported or collaborator-crafted typebot can execute arbitrary HTML/JS in the builder's authenticated context, bypassing the Web Worker sandbox that protects Script blocks during preview. This allows session hijacking and privilege escalation within the builder application. This issue has been fixed in version 3.16.0. | |||||
| CVE-2026-28436 | 1 Frappe | 1 Frappe | 2026-06-17 | N/A | 7.2 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0. | |||||
| CVE-2026-28426 | 1 Statamic | 1 Statamic | 2026-06-17 | N/A | 8.7 HIGH |
| Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0. | |||||
| CVE-2026-28405 | 1 Markusproject | 1 Markus | 2026-06-17 | N/A | 8.0 HIGH |
| MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1. | |||||
| CVE-2026-28401 | 1 Nocodb | 1 Nocodb | 2026-06-17 | N/A | 5.4 MEDIUM |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3. | |||||
| CVE-2026-28398 | 1 Nocodb | 1 Nocodb | 2026-06-17 | N/A | 5.4 MEDIUM |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3. | |||||
| CVE-2026-28397 | 1 Nocodb | 1 Nocodb | 2026-06-17 | N/A | 5.4 MEDIUM |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3. | |||||
| CVE-2026-28359 | 1 Nocodb | 1 Nocodb | 2026-06-17 | N/A | 5.4 MEDIUM |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3. | |||||
| CVE-2026-28357 | 1 Nocodb | 1 Nocodb | 2026-06-17 | N/A | 5.4 MEDIUM |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3. | |||||
| CVE-2026-28355 | 2026-06-17 | N/A | N/A | ||
| Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with. The creator of a PWA Canarytoken can insert Javascript into the title field of their PWA token. When the creator later browses the installation page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this self-XSS, and send the install link to a victim. When they click on it, the Javascript would execute. However, no sensitive information (ex. session information) will be disclosed to the malicious actor. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after sha-7ff0e12. | |||||
| CVE-2026-28343 | 1 Ckeditor | 1 Ckeditor5 | 2026-06-17 | N/A | 6.4 MEDIUM |
| CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0. | |||||
