Total
42502 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-25835 | 1 Esri | 1 Portal For Arcgis | 2026-02-13 | N/A | 8.4 HIGH |
| There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with high‑privileged access to create a crafted link that is persisted within the site configuration. When accessed by a victim, the stored payload may execute arbitrary JavaScript code in the victim’s browser. Successful exploitation could allow the attacker to access sensitive user data and session information, alter trusted site content and user actions, and disrupt normal site functionality, resulting in a high impact to confidentiality, integrity, and availability. | |||||
| CVE-2026-1700 | 1 Projectworlds | 1 House Rental And Property Listing Project | 2026-02-13 | 4.0 MEDIUM | 3.5 LOW |
| A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2020-37044 | 1 Citeum | 1 Opencti | 2026-02-13 | N/A | 5.4 MEDIUM |
| OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. | |||||
| CVE-2025-70845 | 2026-02-13 | N/A | 6.1 MEDIUM | ||
| lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) exists in the /setting/ page where the "intro" field is not properly sanitized or escaped. | |||||
| CVE-2024-41355 | 1 Phpipam | 1 Phpipam | 2026-02-13 | N/A | 6.5 MEDIUM |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/tools/request-ip/index.php. | |||||
| CVE-2023-4451 | 1 Agentejo | 1 Cockpit | 2026-02-13 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||||
| CVE-2023-0676 | 1 Phpipam | 1 Phpipam | 2026-02-13 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1. | |||||
| CVE-2021-35438 | 1 Phpipam | 1 Phpipam | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator. | |||||
| CVE-2018-15899 | 1 1234n | 1 Minicms | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability. | |||||
| CVE-2017-6541 | 1 Webpagetest Project | 1 Webpagetest | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in webpagetest 3.0. The vulnerabilities exist due to insufficient filtration of user-supplied data (benchmark, time) passed to the webpagetest-master/www/benchmarks/viewtest.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6537 | 1 Webpagetest Project | 1 Webpagetest | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data (bgcolor) passed to the webpagetest-master/www/video/view.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6478 | 1 Mangoswebv4 Project | 1 Mangoswebv4 | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter). | |||||
| CVE-2017-6396 | 1 Webpagetest Project | 1 Webpagetest | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in WPO-Foundation WebPageTest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "webpagetest-master/www/compare-cf.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2025-63645 | 1 Ph7builder | 1 Ph7 Social Dating Builder | 2026-02-13 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the application's message system. Unsanitized message content submitted by one user is persisted by the server and later rendered in another user's Inbox view without appropriate context-aware encoding. As a result, attacker-controlled content executes in the recipient's browser context when the Inbox message is viewed. | |||||
| CVE-2026-1578 | 2026-02-13 | N/A | N/A | ||
| HP App for Android is potentially vulnerable to cross-site scripting (XSS) when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities. | |||||
| CVE-2025-14560 | 1 Gitlab | 1 Gitlab | 2026-02-13 | N/A | 7.3 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting malicious content into vulnerability code flow. | |||||
| CVE-2025-68723 | 1 Axigen | 1 Axigen Mail Server | 2026-02-13 | N/A | 9.0 CRITICAL |
| Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions. | |||||
| CVE-2025-70368 | 1 Worklenz | 1 Worklenz | 2026-02-13 | N/A | 5.4 MEDIUM |
| Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2026-26023 | 1 Dify | 1 Dify | 2026-02-13 | N/A | 6.1 MEDIUM |
| Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript payload will be executed. This vulnerability is fixed in 1.13.0. | |||||
| CVE-2019-25323 | 2026-02-13 | N/A | 6.1 MEDIUM | ||
| Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. Attackers can craft specially formatted POST requests to the outputtitle parameter to execute arbitrary HTML and potentially manipulate the web interface's displayed content. | |||||