Total
42321 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-20711 | 1 Cybozu | 1 Garoon | 2026-02-19 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords. | |||||
| CVE-2026-22881 | 1 Cybozu | 1 Garoon | 2026-02-19 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5.15.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords. | |||||
| CVE-2025-36436 | 1 Ibm | 1 Cloud Pak For Business Automation | 2026-02-19 | N/A | 6.4 MEDIUM |
| IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2026-2547 | 1 Ligerosmart | 1 Ligerosmart | 2026-02-18 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. Performing a manipulation of the argument Subaction results in cross site scripting. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-1437 | 1 Graylog | 1 Graylog | 2026-02-18 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation of this vulnerability may allow script execution in the victim's browser and limited manipulation of the affected user's session context, through the '/system/authentication/users/edit/' endpoint. | |||||
| CVE-2026-1438 | 1 Graylog | 1 Graylog | 2026-02-18 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation of this vulnerability may allow script execution in the victim's browser and limited manipulation of the affected user's session context, through the '/system/nodes/' endpoint. | |||||
| CVE-2026-1439 | 1 Graylog | 1 Graylog | 2026-02-18 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation of this vulnerability may allow script execution in the victim's browser and limited manipulation of the affected user's session context, through the '/ alerts /' endpoint. | |||||
| CVE-2026-1440 | 1 Graylog | 1 Graylog | 2026-02-18 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation of this vulnerability may allow script execution in the victim's browser and limited manipulation of the affected user's session context, through the '/system/pipelines/' endpoint. | |||||
| CVE-2026-1441 | 1 Graylog | 1 Graylog | 2026-02-18 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation of this vulnerability may allow script execution in the victim's browser and limited manipulation of the affected user's session context, through the '/system/index_sets/' endpoint. | |||||
| CVE-2025-36019 | 2 Ibm, Linux | 2 Concert, Linux Kernel | 2026-02-18 | N/A | 6.1 MEDIUM |
| IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2026-25759 | 1 Statamic | 1 Statamic | 2026-02-18 | N/A | 8.7 HIGH |
| Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3. | |||||
| CVE-2019-25368 | 1 Opnsense | 1 Opnsense | 2026-02-18 | N/A | 5.4 MEDIUM |
| OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions. | |||||
| CVE-2019-25369 | 1 Opnsense | 1 Opnsense | 2026-02-18 | N/A | 6.4 MEDIUM |
| OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. Attackers can submit POST requests with script payloads that are stored and executed in the context of authenticated user sessions when the page is viewed. | |||||
| CVE-2019-25370 | 1 Opnsense | 1 Opnsense | 2026-02-18 | N/A | 6.1 MEDIUM |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. Attackers can send POST requests to interfaces_vlan_edit.php with script payloads in the tag, descr, or vlanif parameters to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2019-25371 | 1 Opnsense | 1 Opnsense | 2026-02-18 | N/A | 6.1 MEDIUM |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted POST requests to the diag_ping.php endpoint with script payloads in the host parameter to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2019-25372 | 1 Opnsense | 1 Opnsense | 2026-02-18 | N/A | 6.1 MEDIUM |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arbitrary JavaScript in the context of a user's browser session. | |||||
| CVE-2019-25373 | 1 Opnsense | 1 Opnsense | 2026-02-18 | N/A | 6.4 MEDIUM |
| OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers can send POST requests to firewall_rules_edit.php with script payloads in the category field to execute arbitrary JavaScript in the browsers of other users accessing firewall rule pages. | |||||
| CVE-2019-25374 | 1 Opnsense | 1 Opnsense | 2026-02-18 | N/A | 6.1 MEDIUM |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. Attackers can craft POST requests with JavaScript payloads in the passthrough_networks parameter to execute arbitrary code in users' browsers. | |||||
| CVE-2019-25375 | 1 Opnsense | 1 Opnsense | 2026-02-18 | N/A | 6.1 MEDIUM |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers. | |||||
| CVE-2019-25376 | 1 Opnsense | 1 Opnsense | 2026-02-18 | N/A | 6.1 MEDIUM |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers. | |||||