Total
42494 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-26226 | 2026-02-13 | N/A | N/A | ||
| beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping, allowing crafted input to break out of an attribute context and inject arbitrary SVG elements/attributes into the rendered output. When the generated SVG is embedded in a web page, this can result in script execution in the context of the embedding origin. | |||||
| CVE-2022-26533 | 1 Alistgo | 1 Alist | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist. | |||||
| CVE-2022-45970 | 1 Alistgo | 1 Alist | 2026-02-13 | N/A | 5.4 MEDIUM |
| Alist v3.5.1 is vulnerable to Cross Site Scripting (XSS) via the bulletin board. | |||||
| CVE-2024-47067 | 1 Alistgo | 1 Alist | 2026-02-13 | N/A | 6.1 MEDIUM |
| AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up to HTML tags via XHTML and thus leading to a XSS vulnerability. This vulnerability is fixed in 3.29.0. | |||||
| CVE-2026-0788 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-13 | N/A | 6.1 MEDIUM |
| ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the functionality for viewing the syslog. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to interact with the application in the context of the target user. Was ZDI-CAN-28298. | |||||
| CVE-2026-2098 | 1 Flowring | 1 Agentflow | 2026-02-13 | N/A | 6.1 MEDIUM |
| AgentFlow developed by Flowring has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | |||||
| CVE-2026-2099 | 1 Flowring | 1 Agentflow | 2026-02-13 | N/A | 5.4 MEDIUM |
| AgentFlow developed by Flowring has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load. | |||||
| CVE-2026-1446 | 1 Esri | 1 Arcgis Pro | 2026-02-13 | N/A | 5.0 MEDIUM |
| There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1. | |||||
| CVE-2024-25709 | 3 Esri, Linux, Microsoft | 3 Portal For Arcgis, Linux Kernel, Windows | 2026-02-13 | N/A | 6.1 MEDIUM |
| There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item, which could potentially execute arbitrary JavaScript code in a victim’s browser. Exploitation does not require any privileges and can be performed by an anonymous user. | |||||
| CVE-2024-25705 | 3 Esri, Linux, Microsoft | 3 Portal For Arcgis, Linux Kernel, Windows | 2026-02-13 | N/A | 5.4 MEDIUM |
| There is a cross‑site scripting (XSS) vulnerability in Esri Portal for ArcGIS Experience Builder versions 11.1 and below on Windows and Linux that allows a remote, authenticated attacker with low‑privileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser. Exploitation requires basic authenticated access but does not require elevated or administrative privileges, indicating low privileges are required. | |||||
| CVE-2024-8149 | 1 Esri | 1 Portal For Arcgis | 2026-02-13 | N/A | 4.6 MEDIUM |
| There is a reflected Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 that may allow a remote, authenticated attacker with low‑privileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser. Exploitation is limited to the same browser execution context and does not result in a change of security scope beyond the affected user session. | |||||
| CVE-2023-25837 | 1 Esri | 1 Portal For Arcgis | 2026-02-13 | N/A | 8.4 HIGH |
| There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which, when clicked by a victim, could result in the execution of arbitrary JavaScript code in the target’s browser. Exploitation requires high‑privileged authenticated access. Successful exploitation may allow the attacker to access sensitive session data, manipulate trusted content, and disrupt normal application functionality, resulting in a high impact to confidentiality, integrity, and availability. | |||||
| CVE-2023-25835 | 1 Esri | 1 Portal For Arcgis | 2026-02-13 | N/A | 8.4 HIGH |
| There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with high‑privileged access to create a crafted link that is persisted within the site configuration. When accessed by a victim, the stored payload may execute arbitrary JavaScript code in the victim’s browser. Successful exploitation could allow the attacker to access sensitive user data and session information, alter trusted site content and user actions, and disrupt normal site functionality, resulting in a high impact to confidentiality, integrity, and availability. | |||||
| CVE-2026-1700 | 1 Projectworlds | 1 House Rental And Property Listing Project | 2026-02-13 | 4.0 MEDIUM | 3.5 LOW |
| A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2020-37044 | 1 Citeum | 1 Opencti | 2026-02-13 | N/A | 5.4 MEDIUM |
| OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. | |||||
| CVE-2025-70845 | 2026-02-13 | N/A | 6.1 MEDIUM | ||
| lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) exists in the /setting/ page where the "intro" field is not properly sanitized or escaped. | |||||
| CVE-2024-41355 | 1 Phpipam | 1 Phpipam | 2026-02-13 | N/A | 6.5 MEDIUM |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/tools/request-ip/index.php. | |||||
| CVE-2023-4451 | 1 Agentejo | 1 Cockpit | 2026-02-13 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||||
| CVE-2023-0676 | 1 Phpipam | 1 Phpipam | 2026-02-13 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1. | |||||
| CVE-2021-35438 | 1 Phpipam | 1 Phpipam | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator. | |||||