Total
45033 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-26192 | 1 Openwebui | 1 Open Webui | 2026-06-17 | N/A | 7.3 HIGH |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue. | |||||
| CVE-2026-26188 | 1 Solspace | 1 Freeform | 2026-06-17 | N/A | 5.4 MEDIUM |
| Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7. | |||||
| CVE-2026-26144 | 1 Microsoft | 1 365 Apps | 2026-06-17 | N/A | 7.5 HIGH |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-26105 | 1 Microsoft | 1 Sharepoint Server | 2026-06-17 | N/A | 8.1 HIGH |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2026-26059 | 1 Churchcrm | 1 Churchcrm | 2026-06-17 | N/A | 5.4 MEDIUM |
| ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue. | |||||
| CVE-2026-26028 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of <iframe>, <video>, and <audio> elements, leaving all other attributes unchecked. As a result, an attacker can inject arbitrary HTML through srcdoc, completely defeating CryptPad's intended bounce sandboxing and enabling link injection or other interactive content within user-controlled documents. The root cause lies in how the sanitizer classifies and enforces tag restrictions: although it defines both forbidden and restricted tag lists, <iframe> is treated as "restricted" rather than "forbidden." Enforcement then inspects only the src attribute, so pairing a benign blob: src with a malicious srcdoc results in unrestricted rendering. This issue has been fixed in version 2026.2.0. | |||||
| CVE-2026-26027 | 1 Glpi-project | 1 Glpi | 2026-06-17 | N/A | 7.5 HIGH |
| GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6. | |||||
| CVE-2026-26023 | 1 Dify | 1 Dify | 2026-06-17 | N/A | 6.1 MEDIUM |
| Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript payload will be executed. This vulnerability is fixed in 1.13.0. | |||||
| CVE-2026-26022 | 1 Gogs | 1 Gogs | 2026-06-17 | N/A | 8.7 HIGH |
| Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2. | |||||
| CVE-2026-25972 | 1 Fortinet | 1 Fortisiem | 2026-06-17 | N/A | 4.3 MEDIUM |
| An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4 may allow a remote unauthenticated attacker to provide arbitrary data enabling a social engineering attack via spoofed URL parameters. | |||||
| CVE-2026-25956 | 1 Frappe | 1 Frappe | 2026-06-17 | N/A | 6.1 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0. | |||||
| CVE-2026-25935 | 1 Vikunja | 1 Vikunja | 2026-06-17 | N/A | 5.4 MEDIUM |
| Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0. | |||||
| CVE-2026-25932 | 1 Glpi-project | 1 Glpi | 2026-06-17 | N/A | 7.2 HIGH |
| GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24. | |||||
| CVE-2026-25901 | 1 Joomla | 1 Joomla\! | 2026-06-17 | N/A | 6.1 MEDIUM |
| Lack of output escaping leads to a XSS vector in the multilingual associations component. | |||||
| CVE-2026-25900 | 1 Joomla | 1 Joomla\! | 2026-06-17 | N/A | 6.1 MEDIUM |
| Lack of output escaping leads to a XSS vector in the feed modules. | |||||
| CVE-2026-25868 | 1 Rybber | 1 Minigal Nano | 2026-06-17 | N/A | 6.1 MEDIUM |
| MiniGal Nano version 0.3.5 and prior contain a reflected cross-site scripting (XSS) vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply HTML/JavaScript that is reflected in the response. Successful exploitation can lead to execution of arbitrary script in a victim's browser in the context of the vulnerable application. | |||||
| CVE-2026-25860 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature. | |||||
| CVE-2026-25847 | 1 Jetbrains | 1 Pycharm | 2026-06-17 | N/A | 8.2 HIGH |
| In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible | |||||
| CVE-2026-25802 | 1 Newapi | 1 New Api | 2026-06-17 | N/A | 7.6 HIGH |
| New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue. | |||||
| CVE-2026-25789 | 2026-06-17 | N/A | 7.1 HIGH | ||
| Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the authenticated user's session without requiring the file to be uploaded, potentially leading to session hijacking or credential theft. | |||||
