Total
42100 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-40943 | 2026-03-11 | N/A | 9.6 CRITICAL | ||
| Affected devices do not properly sanitize contents of trace files. This could allow an attacker to inject code through social engineering a legitimate user to import a specially crafted trace file | |||||
| CVE-2025-70025 | 2026-03-11 | N/A | 6.1 MEDIUM | ||
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in benkeen generatedata 4.0.14. | |||||
| CVE-2025-70033 | 2026-03-11 | N/A | 5.4 MEDIUM | ||
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. | |||||
| CVE-2026-1261 | 2026-03-11 | N/A | 7.2 HIGH | ||
| The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13902 | 2026-03-11 | N/A | N/A | ||
| CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload. | |||||
| CVE-2025-36173 | 2026-03-11 | N/A | 6.1 MEDIUM | ||
| Affected Product(s)Version(s)InfoSphere Data Architect9.2.1 | |||||
| CVE-2026-0489 | 2026-03-11 | N/A | 6.1 MEDIUM | ||
| Due to insufficient validation of user-controlled input in the URLs query parameter. SAP Business One Job Service could allow an unauthenticated attacker to inject specially crafted input which upon user interaction could result in a DOM-based Cross-Site Scripting (XSS) vulnerability. This issue had a low impact on the confidentiality and integrity of the application with no impact on availability. | |||||
| CVE-2026-30913 | 2026-03-11 | N/A | 4.6 MEDIUM | ||
| Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains. | |||||
| CVE-2026-30917 | 2026-03-11 | N/A | N/A | ||
| Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed in 2.1.1. | |||||
| CVE-2026-30977 | 2026-03-11 | N/A | N/A | ||
| RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This vulnerability is fixed in 0.1.1. | |||||
| CVE-2026-3228 | 2026-03-11 | N/A | 6.4 MEDIUM | ||
| The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the `snapFB` post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-3862 | 2026-03-11 | N/A | N/A | ||
| Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page. | |||||
| CVE-2026-30934 | 2026-03-11 | N/A | 8.9 HIGH | ||
| FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable. | |||||
| CVE-2026-2724 | 2026-03-11 | N/A | 7.2 HIGH | ||
| The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries. | |||||
| CVE-2026-3492 | 2026-03-11 | N/A | 6.4 MEDIUM | ||
| The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `<`, `>` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary JavaScript that executes when an Administrator searches in the Form Switcher dropdown in the Form Editor. | |||||
| CVE-2026-2569 | 2026-03-11 | N/A | 6.4 MEDIUM | ||
| The Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via PDF page labels in all versions up to, and including, 2.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-3534 | 2026-03-11 | N/A | 6.4 MEDIUM | ||
| The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-3231 | 2026-03-11 | N/A | 7.2 HIGH | ||
| The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `<select>` element with the `onchange` event handler attribute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint that execute when an administrator views the order details page. | |||||
| CVE-2026-31833 | 2026-03-11 | N/A | 6.7 MEDIUM | ||
| Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered. This vulnerability is fixed in 16.5.1 and 17.2.2. | |||||
| CVE-2026-3884 | 2026-03-11 | N/A | 6.1 MEDIUM | ||
| Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achieving a prototype pollution first, before being able to execute arbitrary JavaScript in the context of the user's browser. | |||||