Total
43489 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-4544 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2026-04-30 | 3.3 LOW | 2.4 LOW |
| A vulnerability was determined in Wavlink WL-WN578W2 221110. This affects an unknown function of the file /cgi-bin/login.cgi of the component POST Request Handler. Executing a manipulation of the argument homepage/hostname/login_page can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1493 | 2026-04-30 | N/A | N/A | ||
| LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch. This issue was fixed in version 1.3.4. | |||||
| CVE-2026-42615 | 2026-04-30 | N/A | 7.2 HIGH | ||
| GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring. | |||||
| CVE-2026-42523 | 2026-04-30 | N/A | 9.0 CRITICAL | ||
| Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission. | |||||
| CVE-2026-42524 | 2026-04-30 | N/A | 8.0 HIGH | ||
| Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2026-41430 | 1 Frappe | 1 Press | 2026-04-30 | N/A | 6.1 MEDIUM |
| Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only. | |||||
| CVE-2026-7026 | 1 Dlink | 2 Dgs-3420-28tc, Dgs-3420-28tc Firmware | 2026-04-30 | 6.1 MEDIUM | 4.5 MEDIUM |
| A vulnerability was determined in D-Link DGS-3420 1.50.018. This issue affects some unknown processing of the component System Information Settings Page. This manipulation of the argument System Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-7027 | 1 Dlink | 2 Dsl-2740r, Dsl-2740r Firmware | 2026-04-30 | 3.3 LOW | 2.4 LOW |
| A vulnerability was identified in D-Link DSL-2740R EU_01.15. Impacted is an unknown function of the component Wireless Setup Section. Such manipulation of the argument Wireless Network Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. | |||||
| CVE-2018-25269 | 1 Icewarp | 1 Icewarp | 2026-04-29 | N/A | 6.1 MEDIUM |
| ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information. | |||||
| CVE-2026-37750 | 2026-04-29 | N/A | 6.1 MEDIUM | ||
| A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php. | |||||
| CVE-2026-2902 | 2026-04-29 | N/A | 6.1 MEDIUM | ||
| The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-7390 | 2026-04-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function Customer of the file /index.php?page=customer. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2026-7401 | 2026-04-29 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the component Registration. The manipulation of the argument student_id/full_name/section/username results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2026-7296 | 2026-04-29 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_order of the file /admin/ajax.php?action=save_order. Performing a manipulation of the argument first_name results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | |||||
| CVE-2026-7297 | 2026-04-29 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-42652 | 2026-04-29 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration user-registration allows Reflected XSS.This issue affects User Registration: from n/a through <= 5.1.5. | |||||
| CVE-2026-42643 | 2026-04-29 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through <= 4.4.11. | |||||
| CVE-2026-40301 | 2026-04-29 | N/A | 4.7 MEDIUM | ||
| DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue. | |||||
| CVE-2026-30913 | 2026-04-29 | N/A | 4.6 MEDIUM | ||
| Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains. | |||||
| CVE-2026-41200 | 2026-04-29 | N/A | N/A | ||
| STIG Manager is an API and web client for managing Security Technical Implementation Guides (STIG) assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code in `src/init.js` and `public/reauth.html`. During the OIDC redirect flow, the `error` and `error_description` query parameters returned by the OIDC provider are written directly to the DOM via `innerHTML` without HTML escaping. An attacker who can craft a malicious redirect URL and convince a user to follow it can execute arbitrary JavaScript in the application's origin context. The vulnerability is most severe when the targeted user has an active STIG Manager session running in another browser tab — injected code executes in the same origin and can communicate with the SharedWorker managing the active access token, enabling authenticated API requests on behalf of the victim including reading and modifying collection data. The vulnerability is patched in version 1.6.8. There is no workaround short of upgrading. Deployments behind a web application firewall that filters reflected XSS payloads in query parameters may have partial mitigation, but this is not a substitute for patching. | |||||