Total
42100 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-25529 | 2026-03-12 | N/A | 8.1 HIGH | ||
| Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher. | |||||
| CVE-2026-2513 | 2026-03-12 | N/A | N/A | ||
| A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session. | |||||
| CVE-2026-31873 | 2026-03-12 | N/A | N/A | ||
| Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11. | |||||
| CVE-2026-27973 | 1 Audiobookshelf | 2 Audiobookshelf, Audiobookshelf Mobile App | 2026-03-12 | N/A | 4.0 MEDIUM |
| Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges can execute code in victim users' browsers/WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. The issue is fixed in audiobookshelf-app version 0.12.0-beta, corresponding to audiobookshelf version 2.12.0. | |||||
| CVE-2026-27974 | 1 Audiobookshelf | 1 Audiobookshelf Mobile App | 2026-03-12 | N/A | 4.8 MEDIUM |
| Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification privileges (or control over a malicious podcast RSS feed) can execute code in victim users' WebViews, potentially leading to session hijacking, data exfiltration, and unauthorized access to native device APIs. audiobookshelf-app version 0.12.0-beta fixes the issue. | |||||
| CVE-2025-70128 | 2026-03-12 | N/A | 6.1 MEDIUM | ||
| A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability. | |||||
| CVE-2019-25311 | 1 Kostasmitroglou | 1 Thesystem | 2026-03-12 | N/A | 6.4 MEDIUM |
| thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. Attackers can submit crafted script payloads in operating_system, system_owner, system_username, system_password, system_description, and server_name parameters to execute arbitrary JavaScript in victim browsers. | |||||
| CVE-2026-2266 | 1 Github | 1 Enterprise Server | 2026-03-12 | N/A | 5.4 MEDIUM |
| An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker could craft malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user's browser session. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2026-23528 | 1 Anaconda | 1 Dask | 2026-03-12 | N/A | 6.1 MEDIUM |
| Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. | |||||
| CVE-2026-22787 | 1 Ekoopmans | 1 Html2pdf.js | 2026-03-12 | N/A | 6.1 MEDIUM |
| html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0. | |||||
| CVE-2026-22867 | 1 Lasuite | 1 Docs | 2026-03-12 | N/A | 8.7 HIGH |
| LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0. | |||||
| CVE-2026-26952 | 1 Pi-hole | 1 Web Interface | 2026-03-12 | N/A | 5.4 MEDIUM |
| Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. When an attacker supplies a value containing double quotes ("), they can prematurely “close” the data-tag attribute and inject additional HTML attributes into the element. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited. This issue has been fixed in version 6.4.1. | |||||
| CVE-2026-26953 | 1 Pi-hole | 1 Web Interface | 2026-03-12 | N/A | 5.4 MEDIUM |
| Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentials to inject arbitrary HTML code that will be rendered in the browser of any administrator who visits the active sessions page. The rowCallback function contains the value data.x_forwarded_for, which is directly concatenated into an HTML string and inserted into the DOM using jQuery’s .html() method. This method interprets the content as HTML, which means that any HTML tags present in the value will be parsed and rendered by the browser. An attacker can use common tools such as curl, wget, Python requests, Burp Suite, or even JavaScript fetch() to send an authentication request with an X-Forwarded-For header that contains malicious HTML code instead of a legitimate IP address. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited to pure HTML injection without the ability to execute scripts. This issue has been fixed in version 6.4.1. | |||||
| CVE-2026-25972 | 1 Fortinet | 1 Fortisiem | 2026-03-12 | N/A | 4.3 MEDIUM |
| An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4 may allow a remote unauthenticated attacker to provide arbitrary data enabling a social engineering attack via spoofed URL parameters. | |||||
| CVE-2025-36226 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2026-03-12 | N/A | 5.4 MEDIUM |
| IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2026-25073 | 1 Seekswan | 2 Zikestor Sks8310-8x, Zikestor Sks8310-8x Firmware | 2026-03-12 | N/A | 5.4 MEDIUM |
| XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary script content through the System Name field. Attackers can inject malicious scripts that execute in a victim's browser when the stored value is viewed due to improper output encoding. | |||||
| CVE-2024-37800 | 1 Code-projects | 1 Restaurant Reservation System | 2026-03-12 | N/A | 6.1 MEDIUM |
| CodeProjects Restaurant Reservation System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Date parameter at index.php. | |||||
| CVE-2023-32624 | 1 Sakura | 1 Ts Webfonts For Sakura | 2026-03-12 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in TS Webfonts for SAKURA 3.1.0 and earlier allows a remote unauthenticated attacker to inject an arbitrary script. | |||||
| CVE-2020-36731 | 1 Wpdesk | 1 Flexible Checkout Fields | 2026-03-12 | N/A | 7.2 HIGH |
| The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored. | |||||
| CVE-2026-1696 | 1 Arcinformatique | 1 Pcvue | 2026-03-12 | N/A | 6.1 MEDIUM |
| Some HTTP security headers are not properly set by the web server when sending responses to the client application. | |||||