Total
41128 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-25154 | 2026-01-30 | N/A | 6.1 MEDIUM | ||
| LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch. | |||||
| CVE-2026-1705 | 2026-01-30 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. | |||||
| CVE-2020-36993 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | N/A | 6.4 MEDIUM |
| LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts. | |||||
| CVE-2025-27924 | 1 Nintex | 1 Automation | 2026-01-30 | N/A | 5.4 MEDIUM |
| Nintex Automation 5.6 and 5.7 before 5.8 has a stored XSS issue associated with the "Navigate to a URL" action. | |||||
| CVE-2024-24506 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function. | |||||
| CVE-2023-33940 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL. | |||||
| CVE-2023-33939 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. | |||||
| CVE-2023-33944 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field. | |||||
| CVE-2023-33943 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field. | |||||
| CVE-2025-13505 | 1 Datateam | 1 Datactive | 2026-01-30 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Datateam Information Technologies Inc. Datactive allows Stored XSS.This issue affects Datactive: from 2.13.34 before 2.14.0.6. | |||||
| CVE-2023-50836 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ibericode HTML Forms allows Stored XSS.This issue affects HTML Forms: from n/a through 1.3.28. | |||||
| CVE-2024-6243 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | N/A | 4.8 MEDIUM |
| The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled. | |||||
| CVE-2025-46236 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms allows Stored XSS. This issue affects HTML Forms: from n/a through 1.5.2. | |||||
| CVE-2026-21642 | 1 Aquaplatform | 1 Revive Adserver | 2026-01-30 | N/A | 6.1 MEDIUM |
| HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | |||||
| CVE-2025-67263 | 1 Abacre | 1 Retail Point Of Sale | 2026-01-30 | N/A | 6.1 MEDIUM |
| Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database. | |||||
| CVE-2021-47768 | 1 Cleidigh | 1 Importexporttools Ng | 2026-01-30 | N/A | 6.1 MEDIUM |
| ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials. | |||||
| CVE-2026-20075 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2026-01-30 | N/A | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | |||||
| CVE-2026-20076 | 1 Cisco | 1 Identity Services Engine | 2026-01-30 | N/A | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | |||||
| CVE-2025-67025 | 1 Anycomment | 1 Anycomment.io | 2026-01-30 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section | |||||
| CVE-2025-63045 | 1 Averta | 1 Master Slider Pro | 2026-01-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider Pro masterslider allows DOM-Based XSS.This issue affects Master Slider Pro: from n/a through <= 3.7.12. | |||||