Total
44422 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-34212 | 1 Docmost | 1 Docmost | 2026-04-22 | N/A | 5.4 MEDIUM |
| Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content. When another user views the page and activates the attachment link/icon, attacker-controlled JavaScript executes in the context of the Docmost origin. Version 0.71.0 patches the issue. | |||||
| CVE-2026-40565 | 1 Freescout | 1 Freescout | 2026-04-22 | N/A | 6.1 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal " characters in text nodes. linkify() then wraps URLs including those " chars inside an unescaped href="..." attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue. | |||||
| CVE-2026-32963 | 1 Silextechnology | 3 Amc Manager, Sd-330ac, Sd-330ac Firmware | 2026-04-22 | N/A | 6.1 MEDIUM |
| SD-330AC and AMC Manager provided by silex technology, Inc. contain a reflected cross-site scripting vulnerability. When a user logs in to the affected device and access some crafted web page, arbitrary script may be executed on the user's browser. | |||||
| CVE-2026-23891 | 1 Decidim | 1 Decidim | 2026-04-22 | N/A | 8.7 HIGH |
| Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1. | |||||
| CVE-2026-6779 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | N/A | 5.3 MEDIUM |
| Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | |||||
| CVE-2026-4369 | 1 Autodesk | 1 Fusion | 2026-04-22 | N/A | 7.1 HIGH |
| A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | |||||
| CVE-2026-4345 | 1 Autodesk | 1 Fusion | 2026-04-22 | N/A | 7.1 HIGH |
| A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | |||||
| CVE-2026-4344 | 1 Autodesk | 1 Fusion | 2026-04-22 | N/A | 7.1 HIGH |
| A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | |||||
| CVE-2026-30812 | 1 Artica | 1 Pandora Fms | 2026-04-22 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800 | |||||
| CVE-2026-3466 | 1 Checkmk | 1 Checkmk | 2026-04-22 | N/A | 5.4 MEDIUM |
| Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard. | |||||
| CVE-2026-35169 | 1 Mcgill | 1 Loris | 2026-04-21 | N/A | 8.7 HIGH |
| LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which could result in a reflected cross-site scripting attack if a user is tricked into following an invalid link. The same input vector could also allow an attacker to download arbitrary markdown files on an unpatched server. This vulnerability is fixed in 27.0.3 and 28.0.1. | |||||
| CVE-2026-35403 | 1 Mcgill | 1 Loris | 2026-04-21 | N/A | 6.5 MEDIUM |
| LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 and 28.0.1, there is a potential for a cross-site scripting attack in the survey_accounts module if a user provides an invalid visit label. While the data is properly JSON encoded, the Content-Type header is not set causing the web browser to interpret the payload as HTML, opening the possibility of a cross-site scripting if a user is tricked into following an invalid link. This vulnerability is fixed in 27.0.3 and 28.0.1. | |||||
| CVE-2025-69993 | 1 Leafletjs | 1 Leaflet | 2026-04-21 | N/A | 6.1 MEDIUM |
| Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session. | |||||
| CVE-2026-39390 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-04-21 | N/A | 5.5 MEDIUM |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0. | |||||
| CVE-2026-24907 | 1 Octobercms | 1 October | 2026-04-21 | N/A | 5.4 MEDIUM |
| October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure. | |||||
| CVE-2026-24906 | 1 Octobercms | 1 October | 2026-04-21 | N/A | 5.4 MEDIUM |
| October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only | |||||
| CVE-2026-39812 | 1 Fortinet | 2 Fortisandbox, Fortisandbox Cloud | 2026-04-21 | N/A | 4.8 MEDIUM |
| A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox PaaS 5.0.0 through 5.0.5, FortiSandbox PaaS 4.4.0 through 4.4.8, FortiSandbox PaaS 4.2 all versions may allow attacker to execute unauthorized code or commands via <insert attack vector here> | |||||
| CVE-2026-2737 | 1 Progress | 1 Flowmon | 2026-04-21 | N/A | 6.1 MEDIUM |
| A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session. | |||||
| CVE-2026-33978 | 1 Streetwriters | 1 Notesnook Mobile | 2026-04-21 | N/A | 5.4 MEDIUM |
| Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as </a><img src=x onerror=...>. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17. | |||||
| CVE-2026-40284 | 2026-04-20 | N/A | 6.8 MEDIUM | ||
| WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch page, impacting other users. Version 3.6.10 fixes the issue. | |||||