Total
42304 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-25387 | 1 Smoothwall | 1 Smoothwall Express | 2026-02-20 | N/A | 6.1 MEDIUM |
| Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the xtaccess.cgi endpoint. Attackers can inject script payloads through the EXT, DEST_PORT, or COMMENT parameters via POST requests to execute arbitrary JavaScript in victim browsers. | |||||
| CVE-2019-25386 | 1 Smoothwall | 1 Smoothwall Express | 2026-02-20 | N/A | 6.1 MEDIUM |
| Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dmzholes.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the SRC_IP, DEST_IP, or COMMENT parameters to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2019-25385 | 1 Smoothwall | 1 Smoothwall Express | 2026-02-20 | N/A | 6.1 MEDIUM |
| Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the MACHINE and MACHINECOMMENT parameters. Attackers can send POST requests to the outgoing.cgi endpoint with script payloads to execute arbitrary JavaScript in users' browsers and steal session data. | |||||
| CVE-2019-25384 | 1 Smoothwall | 1 Smoothwall Express | 2026-02-20 | N/A | 6.1 MEDIUM |
| Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the portfw.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the EXT, SRC_PORT_SEL, SRC_PORT, DEST_IP, DEST_PORT_SEL, or COMMENT parameters to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2019-25383 | 1 Smoothwall | 1 Smoothwall Express | 2026-02-20 | N/A | 6.1 MEDIUM |
| Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the apcupsd.cgi script that allow attackers to inject malicious scripts through multiple POST parameters. Attackers can submit crafted POST requests with script payloads in parameters like BATTLEVEL, RTMIN, BATTDELAY, TO, ANNOY, UPSIP, UPSNAME, UPSPORT, POLLTIME, UPSUSER, NISPORT, UPSAUTH, EMAIL, FROM, CC, SMSEMAIL, SMTPSERVER, PORT, USER, and EMAIL_PASSWORD to execute arbitrary JavaScript in victim browsers. | |||||
| CVE-2019-25381 | 1 Smoothwall | 1 Smoothwall Express | 2026-02-20 | N/A | 6.1 MEDIUM |
| Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests to the hosts.cgi endpoint with script payloads in the IP, HOSTNAME, or COMMENT parameters to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2019-25380 | 1 Smoothwall | 1 Smoothwall Express | 2026-02-20 | N/A | 6.1 MEDIUM |
| Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dhcp.cgi script that allow attackers to inject malicious scripts through multiple parameters. Attackers can submit POST requests to dhcp.cgi with script payloads in parameters such as BOOT_SERVER, BOOT_FILE, BOOT_ROOT, START_ADDR, END_ADDR, DNS1, DNS2, NTP1, NTP2, WINS1, WINS2, DEFAULT_LEASE_TIME, MAX_LEASE_TIME, DOMAIN_NAME, NIS_DOMAIN, NIS1, NIS2, STATIC_HOST, STATIC_DESC, STATIC_MAC, and STATIC_IP to execute arbitrary JavaScript in user browsers. | |||||
| CVE-2026-26989 | 1 Librenms | 1 Librenms | 2026-02-20 | N/A | 4.3 MEDIUM |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0. | |||||
| CVE-2026-27059 | 2026-02-20 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Recipe penci-recipe allows DOM-Based XSS.This issue affects Penci Recipe: from n/a through <= 4.1. | |||||
| CVE-2026-27057 | 2026-02-20 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Filter Everything penci-filter-everything allows Stored XSS.This issue affects Penci Filter Everything: from n/a through <= 1.7. | |||||
| CVE-2026-25472 | 2026-02-20 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows Stored XSS.This issue affects Fusion Builder: from n/a through <= 3.14.3. | |||||
| CVE-2026-25451 | 2026-02-20 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows Stored XSS.This issue affects Bold Page Builder: from n/a through <= 5.6.4. | |||||
| CVE-2026-27016 | 1 Librenms | 1 Librenms | 2026-02-20 | N/A | 5.4 MEDIUM |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0. | |||||
| CVE-2026-26991 | 1 Librenms | 1 Librenms | 2026-02-20 | N/A | 4.8 MEDIUM |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0. | |||||
| CVE-2026-26992 | 1 Librenms | 1 Librenms | 2026-02-20 | N/A | 4.8 MEDIUM |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter. After the port group is created, the entry is displayed along with relevant buttons such as Edit and Delete. This issue has been fixed in version 26.2.0. | |||||
| CVE-2019-25406 | 1 Comodo | 1 Dome Firewall | 2026-02-20 | N/A | 6.1 MEDIUM |
| Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the organization parameter. Attackers can send POST requests to the korugan/cmclient endpoint with script payloads in the organization parameter to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2019-25407 | 1 Comodo | 1 Dome Firewall | 2026-02-20 | N/A | 6.1 MEDIUM |
| Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the backup schedule interface. Attackers can send POST requests to the backupschedule endpoint with JavaScript code in the BACKUP_RCPTTO parameter to execute arbitrary scripts in users' browsers. | |||||
| CVE-2026-25516 | 1 Zauberzeug | 1 Nicegui | 2026-02-20 | N/A | 6.1 MEDIUM |
| NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0. | |||||
| CVE-2019-25408 | 1 Comodo | 1 Dome Firewall | 2026-02-20 | N/A | 6.1 MEDIUM |
| Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the netmask_addr parameter. Attackers can send POST requests to the netwizard2 endpoint with script payloads in the netmask_addr parameter to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2019-25409 | 1 Comodo | 1 Dome Firewall | 2026-02-20 | N/A | 6.1 MEDIUM |
| Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the destination parameter. Attackers can send POST requests to the routing endpoint with script payloads in the destination parameter to execute arbitrary JavaScript in users' browsers. | |||||