Total
42100 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0410 | 1 Qwik | 1 Qwik | 2026-03-13 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5. | |||||
| CVE-2026-25737 | 1 Budibase | 1 Budibase | 2026-03-13 | N/A | 8.9 HIGH |
| Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files. | |||||
| CVE-2026-31868 | 1 Parseplatform | 1 Parse-server | 2026-03-13 | N/A | 6.1 MEDIUM |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include .svgz, .xht, .xml, .xsl, .xslt, and content types application/xhtml+xml and application/xslt+xml for extensionless uploads. Uploading of .html, .htm, .shtml, .xhtml, and .svg files was already blocked. This vulnerability is fixed in 9.6.0-alpha.4 and 8.6.30. | |||||
| CVE-2026-3455 | 1 Nodemailer | 1 Mailparser | 2026-03-13 | N/A | 6.1 MEDIUM |
| Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code. | |||||
| CVE-2026-31879 | 1 Frappe | 1 Frappe | 2026-03-13 | N/A | 5.4 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0. | |||||
| CVE-2026-26144 | 1 Microsoft | 1 365 Apps | 2026-03-13 | N/A | 7.5 HIGH |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2025-70060 | 1 Ymfe | 1 Yapi | 2026-03-13 | N/A | 5.4 MEDIUM |
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0. | |||||
| CVE-2025-70038 | 1 Linagora | 1 Twake | 2026-03-13 | N/A | 8.8 HIGH |
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code. | |||||
| CVE-2026-32139 | 1 Dataease | 1 Dataease | 2026-03-13 | N/A | 5.4 MEDIUM |
| Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as onload/onerror event handlers or script-capable attributes. As a result, an attacker can upload a malicious SVG and then trigger script execution in a browser by visiting the exposed static resource URL, forming a full stored XSS exploitation chain. This vulnerability is fixed in 2.10.20. | |||||
| CVE-2026-32109 | 1 9001 | 1 Copyparty | 2026-03-13 | N/A | 3.7 LOW |
| Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of the target's authenticated session, the link must be clicked from a page served by the server itself -- most likely by editing an existing resource, which would require additional access permissions. Finally, for this attack to be successful, the attacker's target must click the specific crafted link given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server. This vulnerability is fixed in 1.20.12. | |||||
| CVE-2026-32118 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32121 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 7.7 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in prescription CSS/HTML print view via patient demographics. That finding involves server-side rendering of patient names via raw PHP echo. This finding involves client-side DOM-based rendering via jQuery .html() in a completely different component (portal/sign/assets/signer_api.js). The two share the same root cause (unsanitized patient names in patient_data), but they have different sinks, different affected components, different trigger actions, and require independent fixes. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32124 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32125 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-30862 | 1 Appsmith | 1 Appsmith | 2026-03-13 | N/A | 9.0 CRITICAL |
| Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover. This vulnerability is fixed in 1.96. | |||||
| CVE-2026-3721 | 1 Lab1024 | 1 Smartadmin | 2026-03-13 | 4.0 MEDIUM | 3.5 LOW |
| A weakness has been identified in 1024-lab/lab1024 SmartAdmin up to 3.29. The affected element is an unknown function of the file sa-base/src/main/java/net/lab1024/sa/base/module/support/helpdoc/domain/form/HelpDocAddForm.java of the component Help Documentation Module. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-30918 | 1 Facilemanager | 1 Facilemanager | 2026-03-13 | N/A | 7.6 HIGH |
| facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixed in 6.0.4. | |||||
| CVE-2026-30919 | 1 Facilemanager | 1 Facilemanager | 2026-03-13 | N/A | 7.6 HIGH |
| facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS (also known as persistent or second-order XSS) occurs when an application receives data from an untrusted source and includes that data in its subsequent HTTP responses in an unsafe manner. This vulnerability was found in the fmDNS module. This vulnerability is fixed in 6.0.4. | |||||
| CVE-2026-23525 | 1 Fit2cloud | 1 1panel | 2026-03-13 | N/A | 6.4 MEDIUM |
| 1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17. | |||||
| CVE-2026-1090 | 1 Gitlab | 1 Gitlab | 2026-03-13 | N/A | 8.7 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing. | |||||