Total
366 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-44259 | 2026-05-13 | N/A | 4.6 MEDIUM | ||
| efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml respectively, causing any embedded JavaScript to execute in the victim's browser within the application's origin. This vulnerability is fixed in 4.08.010. | |||||
| CVE-2026-41575 | 1 Th30d4y | 1 W4nn4d13\/ip | 2026-05-12 | N/A | 6.1 MEDIUM |
| In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was directly rendered in the browser, allowing attackers to execute arbitrary JavaScript. This issue has been patched in version 2.0.1. | |||||
| CVE-2021-47948 | 2026-05-12 | N/A | 5.4 MEDIUM | ||
| WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed. | |||||
| CVE-2026-44264 | 1 Weblate | 1 Weblate | 2026-05-11 | N/A | 4.3 MEDIUM |
| Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1. | |||||
| CVE-2025-59854 | 1 Hcltech | 1 Dfxanalytics | 2026-05-07 | N/A | 3.1 LOW |
| HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a robust Content Security Policy (CSP). | |||||
| CVE-2026-6002 | 2026-05-07 | N/A | 8.8 HIGH | ||
| Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | |||||
| CVE-2014-2353 | 1 Cogentdatahub | 1 Cogent Datahub | 2026-05-06 | 7.1 HIGH | N/A |
| Cross-site scripting (XSS) vulnerability in Cogent DataHub before 7.3.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2026-20070 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2026-05-04 | N/A | 6.1 MEDIUM |
| A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by persuading a user to follow a link to a malicious website that is designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the VPN web server. | |||||
| CVE-2026-39712 | 2026-04-29 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through <= 5.4.3. | |||||
| CVE-2026-39628 | 2026-04-29 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0. | |||||
| CVE-2026-39626 | 2026-04-29 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8. | |||||
| CVE-2025-13178 | 1 Bdtask | 1 Saleserp | 2026-04-29 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-13180 | 1 Bdtask | 1 Wholesale | 2026-04-29 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /edit_profile. Performing manipulation of the argument first_name/last_name results in basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-14186 | 2026-04-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1154 | 1 Janobe | 1 E-learning System | 2026-04-29 | 5.0 MEDIUM | 4.3 MEDIUM |
| A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. | |||||
| CVE-2026-22469 | 2026-04-28 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.This issue affects DeepDigital: from n/a through <= 1.0.2. | |||||
| CVE-2025-31384 | 2026-04-28 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5. | |||||
| CVE-2023-48763 | 2026-04-28 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Crocoblock JetFormBuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through 3.1.4. | |||||
| CVE-2023-47869 | 1 Gvectors | 1 Wpforo Forum | 2026-04-28 | N/A | 4.3 MEDIUM |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Code Injection.This issue affects wpForo Forum: from n/a through 2.2.5. | |||||
| CVE-2022-38055 | 1 Gvectors | 1 Wpforo Forum | 2026-04-28 | N/A | 4.3 MEDIUM |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through 2.0.9. | |||||