Total
37718 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-42094 | 1 Backdropcms | 1 Backdrop | 2025-04-29 | N/A | 4.8 MEDIUM |
| Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content. | |||||
| CVE-2022-41706 | 1 Spatie | 1 Browsershot | 2025-04-29 | N/A | 8.2 HIGH |
| Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method. | |||||
| CVE-2022-41445 | 1 Teacher Record Management System Project | 1 Teacher Record Management System | 2025-04-29 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Record Management System using CodeIgniter 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Add Subject page. | |||||
| CVE-2021-37936 | 1 Elastic | 1 Kibana | 2025-04-29 | N/A | 5.4 MEDIUM |
| It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user. | |||||
| CVE-2024-13884 | 1 Rivercitygraphix | 1 Limit Bio | 2025-04-29 | N/A | 7.1 HIGH |
| The Limit Bio WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-13885 | 1 Webtechglobal | 1 Wp E-customers Beta | 2025-04-29 | N/A | 7.1 HIGH |
| The WP e-Customers Beta WordPress plugin through 0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-13891 | 1 Scheduler | 1 Schedule | 2025-04-29 | N/A | 7.1 HIGH |
| The Schedule WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2025-1401 | 1 S-a | 1 Wp Click Info | 2025-04-29 | N/A | 7.1 HIGH |
| The WP Click Info WordPress plugin through 2.7.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2022-45225 | 1 Book Store Management System Project | 1 Book Store Management System | 2025-04-29 | N/A | 6.1 MEDIUM |
| Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the book_title parameter. | |||||
| CVE-2022-45017 | 1 Wbce | 1 Wbce Cms | 2025-04-29 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the Overview Page settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Loop field. | |||||
| CVE-2022-45016 | 1 Wbce | 1 Wbce Cms | 2025-04-29 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Footer field. | |||||
| CVE-2022-43709 | 1 Mybb | 1 Mybb | 2025-04-29 | N/A | 4.9 MEDIUM |
| MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings. | |||||
| CVE-2025-29526 | 2025-04-29 | N/A | 6.1 MEDIUM | ||
| A Cross-Site Scripting (XSS) vulnerability in the search function of Q4 Inc Investor Relations Platform v5.147.1.2 allows attackers to execute arbitrary Javascript via injecting a crafted payload into the SearchTerm parameter. | |||||
| CVE-2025-2543 | 2025-04-29 | N/A | 6.4 MEDIUM | ||
| The Advanced Accordion Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2025-3435 | 2025-04-29 | N/A | 4.4 MEDIUM | ||
| The Mang Board WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the board_header and board_footer parameters in all versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2025-2579 | 2025-04-29 | N/A | 6.4 MEDIUM | ||
| The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file. | |||||
| CVE-2025-3832 | 2025-04-29 | N/A | 6.4 MEDIUM | ||
| The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-46542 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeXpert Xpert Tab allows Stored XSS. This issue affects Xpert Tab: from n/a through 1.3. | |||||
| CVE-2025-46480 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Padam Shankhadev Nepali Post Date allows Stored XSS. This issue affects Nepali Post Date: from n/a through 5.1.1. | |||||
| CVE-2025-46538 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webplanetsoft Inline Text Popup allows DOM-Based XSS. This issue affects Inline Text Popup: from n/a through 1.0.0. | |||||