Total
42158 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-38106 | 1 Solarwinds | 1 Serv-u | 2026-02-25 | N/A | 5.4 MEDIUM |
| This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. | |||||
| CVE-2022-35226 | 1 Sap | 1 Data Services | 2026-02-25 | N/A | 6.1 MEDIUM |
| SAP Data Services Management allows an attacker to copy the data from a request and echoed into the application's immediate response, it will lead to a Cross-Site Scripting vulnerability. The attacker would have to log in to the management console to perform such as an attack, only few of the pages are vulnerable in the DS management console. | |||||
| CVE-2026-27822 | 1 Rustfs | 1 Rustfs | 2026-02-25 | N/A | 9.0 CRITICAL |
| RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from `localStorage`, leading to full account takeover and system compromise. Version 1.0.0-alpha.83 fixes the issue. | |||||
| CVE-2026-21483 | 1 Nadh | 1 Listmonk | 2026-02-25 | N/A | 5.4 MEDIUM |
| listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue. | |||||
| CVE-2026-2972 | 1 A466350665 | 1 Smart-sso | 2026-02-25 | 3.3 LOW | 2.4 LOW |
| A vulnerability was determined in a466350665 Smart-SSO up to 2.1.1. This affects the function Save of the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java of the component Role Edit Page. Executing a manipulation can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-2971 | 1 A466350665 | 1 Smart-sso | 2026-02-25 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in a466350665 Smart-SSO up to 2.1.1. Affected by this issue is some unknown functionality of the file smart-sso-server/src/main/resources/templates/login.html of the component Login. Performing a manipulation of the argument redirectUri results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-30754 | 1 Wpfoxly | 1 Adfoxly | 2026-02-25 | N/A | 7.1 HIGH |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in AdFoxly AdFoxly – Ad Manager, AdSense Ads & Ads.Txt plugin <= 1.8.5 versions. | |||||
| CVE-2026-24045 | 1 Docmost | 1 Docmost | 2026-02-25 | N/A | 7.3 HIGH |
| Docmost is open-source collaborative wiki and documentation software. From g and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0. | |||||
| CVE-2015-9354 | 1 Tri | 1 Gigpress | 2026-02-25 | 3.5 LOW | 4.8 MEDIUM |
| The gigpress plugin before 2.3.11 for WordPress has XSS. | |||||
| CVE-2026-23858 | 1 Dell | 1 Wyse Management Suite | 2026-02-25 | N/A | 5.4 MEDIUM |
| Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Script Injection. | |||||
| CVE-2026-25642 | 1 Hedgedoc | 1 Hedgedoc | 2026-02-25 | N/A | 4.3 MEDIUM |
| HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6. | |||||
| CVE-2026-2367 | 2026-02-25 | N/A | 6.4 MEDIUM | ||
| The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-1614 | 2026-02-25 | N/A | 6.4 MEDIUM | ||
| The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘logoTag’ Site Identity block attribute in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-25543 | 1 Htmlsanitizer Project | 1 Htmlsanitizer | 2026-02-24 | N/A | 6.1 MEDIUM |
| HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta. | |||||
| CVE-2025-13523 | 1 Mattermost | 1 Confluence | 2026-02-24 | N/A | 7.7 HIGH |
| Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557 | |||||
| CVE-2026-3070 | 1 Remyandrade | 1 Modern Image Gallery App | 2026-02-24 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in SourceCodester Modern Image Gallery App 1.0. Affected by this vulnerability is an unknown functionality of the file upload.php. The manipulation of the argument filename results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2026-25647 | 1 B3log | 1 Siyuan | 2026-02-24 | N/A | 4.6 MEDIUM |
| Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session. | |||||
| CVE-2022-3194 | 1 Dokan | 1 Dokan | 2026-02-24 | N/A | 5.4 MEDIUM |
| The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators. | |||||
| CVE-2026-1769 | 2 Microsoft, Xerox | 2 Windows, Centreware Web | 2026-02-24 | N/A | 5.3 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6. Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com | |||||
| CVE-2026-24903 | 1 Algonet | 1 Orcastatllm Researcher | 2026-02-24 | N/A | 5.4 MEDIUM |
| OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through malicious research topic inputs. | |||||