Total
42130 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27359 | 2026-03-06 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Awa Plugins awa-plugins allows Reflected XSS.This issue affects Awa Plugins: from n/a through <= 1.4.4. | |||||
| CVE-2026-26022 | 1 Gogs | 1 Gogs | 2026-03-06 | N/A | 8.7 HIGH |
| Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2. | |||||
| CVE-2026-26195 | 1 Gogs | 1 Gogs | 2026-03-06 | N/A | 6.1 MEDIUM |
| Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2. | |||||
| CVE-2026-28042 | 2026-03-06 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Listify listify allows Reflected XSS.This issue affects Listify: from n/a through <= 3.2.5. | |||||
| CVE-2026-28037 | 2026-03-06 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Reflected XSS.This issue affects EventON: from n/a through <= 4.9.12. | |||||
| CVE-2019-25502 | 1 Simplejobscript | 1 Simplejobscript | 2026-03-05 | N/A | 6.1 MEDIUM |
| Simple Job Script contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the job_type_value parameter in the jobs endpoint. Attackers can craft requests with SVG payload injection to execute arbitrary JavaScript in victim browsers and steal session cookies or perform unauthorized actions. | |||||
| CVE-2026-26276 | 1 Gogs | 1 Gogs | 2026-03-05 | N/A | 7.3 HIGH |
| Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2. | |||||
| CVE-2021-35483 | 1 Nokia | 1 Impact | 2026-03-05 | N/A | 4.1 MEDIUM |
| The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an existing one. If an authenticated user visits the web page where the file is published, the JavaScript code is executed. | |||||
| CVE-2026-2201 | 1 Zerowdd | 1 Studentmanager | 2026-03-05 | 3.3 LOW | 2.4 LOW |
| A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. The manipulation of the argument Reason for Leave leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The code repository of the project has not been active for many years. | |||||
| CVE-2026-2145 | 1 Cym1102 | 1 Nginxwebui | 2026-03-05 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. Such manipulation of the argument nginxDir leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-21866 | 1 Dify | 1 Dify | 2026-03-05 | N/A | 5.4 MEDIUM |
| Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2. | |||||
| CVE-2026-25590 | 1 Glpi-project | 1 Glpi Inventory | 2026-03-05 | N/A | 4.5 MEDIUM |
| The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6. | |||||
| CVE-2026-26266 | 1 Aliasvault | 1 Aliasvault | 2026-03-05 | N/A | 9.3 CRITICAL |
| AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.[ | |||||
| CVE-2026-26272 | 1 Sysadminsmedia | 1 Homebox | 2026-03-05 | N/A | 4.6 MEDIUM |
| HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1. | |||||
| CVE-2021-47857 | 1 Moodle | 1 Moodle | 2026-03-05 | N/A | 7.2 HIGH |
| Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event. | |||||
| CVE-2026-20102 | 2026-03-05 | N/A | 6.1 MEDIUM | ||
| A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the SAML feature and access sensitive, browser-based information. This vulnerability is due to insufficient input validation of multiple HTTP parameters. An attacker could exploit this vulnerability by persuading a user to access a malicious link. A successful exploit could allow the attacker to conduct a reflected XSS attack through an affected device. | |||||
| CVE-2026-3034 | 2026-03-05 | N/A | 6.4 MEDIUM | ||
| The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element. | |||||
| CVE-2025-66024 | 2026-03-05 | N/A | N/A | ||
| The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation. The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping. No known workarounds are available. | |||||
| CVE-2026-2365 | 2026-03-05 | N/A | 7.2 HIGH | ||
| The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry. | |||||
| CVE-2026-28108 | 2026-03-05 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails all-in-one-thumbnailsBanner allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Thumbnails: from n/a through <= 3.8. | |||||