Total
42536 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0676 | 1 Phpipam | 1 Phpipam | 2026-02-13 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1. | |||||
| CVE-2021-35438 | 1 Phpipam | 1 Phpipam | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator. | |||||
| CVE-2018-15899 | 1 1234n | 1 Minicms | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability. | |||||
| CVE-2017-6541 | 1 Webpagetest Project | 1 Webpagetest | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in webpagetest 3.0. The vulnerabilities exist due to insufficient filtration of user-supplied data (benchmark, time) passed to the webpagetest-master/www/benchmarks/viewtest.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6537 | 1 Webpagetest Project | 1 Webpagetest | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data (bgcolor) passed to the webpagetest-master/www/video/view.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6478 | 1 Mangoswebv4 Project | 1 Mangoswebv4 | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter). | |||||
| CVE-2017-6396 | 1 Webpagetest Project | 1 Webpagetest | 2026-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in WPO-Foundation WebPageTest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "webpagetest-master/www/compare-cf.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2025-63645 | 1 Ph7builder | 1 Ph7 Social Dating Builder | 2026-02-13 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the application's message system. Unsanitized message content submitted by one user is persisted by the server and later rendered in another user's Inbox view without appropriate context-aware encoding. As a result, attacker-controlled content executes in the recipient's browser context when the Inbox message is viewed. | |||||
| CVE-2026-1578 | 2026-02-13 | N/A | N/A | ||
| HP App for Android is potentially vulnerable to cross-site scripting (XSS) when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities. | |||||
| CVE-2025-14560 | 1 Gitlab | 1 Gitlab | 2026-02-13 | N/A | 7.3 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting malicious content into vulnerability code flow. | |||||
| CVE-2025-68723 | 1 Axigen | 1 Axigen Mail Server | 2026-02-13 | N/A | 9.0 CRITICAL |
| Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions. | |||||
| CVE-2025-70368 | 1 Worklenz | 1 Worklenz | 2026-02-13 | N/A | 5.4 MEDIUM |
| Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2026-26023 | 1 Dify | 1 Dify | 2026-02-13 | N/A | 6.1 MEDIUM |
| Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript payload will be executed. This vulnerability is fixed in 1.13.0. | |||||
| CVE-2019-25323 | 2026-02-13 | N/A | 6.1 MEDIUM | ||
| Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. Attackers can craft specially formatted POST requests to the outputtitle parameter to execute arbitrary HTML and potentially manipulate the web interface's displayed content. | |||||
| CVE-2019-25324 | 2026-02-13 | N/A | 6.1 MEDIUM | ||
| RICOH Web Image Monitor 1.09 contains an HTML injection vulnerability in the address configuration CGI script that allows attackers to inject malicious HTML code. Attackers can exploit the entryNameIn and entryDisplayNameIn parameters to insert arbitrary HTML content, potentially enabling cross-site scripting attacks. | |||||
| CVE-2026-0595 | 1 Gitlab | 1 Gitlab | 2026-02-12 | N/A | 7.3 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test case titles. | |||||
| CVE-2026-1466 | 1 Jirafeau | 1 Jirafeau | 2026-02-12 | N/A | 6.1 MEDIUM |
| Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff. | |||||
| CVE-2025-13979 | 1 Salsa.digital | 1 Mini Site | 2026-02-12 | N/A | 5.4 MEDIUM |
| Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2. | |||||
| CVE-2026-22710 | 1 Wikimedia | 1 Wikibase | 2026-02-12 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39. | |||||
| CVE-2026-22713 | 1 Growth | 1 Growthexperiments | 2026-02-12 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39. | |||||