Export limit exceeded: 46980 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46980 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-13295 | 2 Gpriday, Wordpress | 2 Page Builder By Siteorigin, Wordpress | 2026-06-29 | 6.4 Medium |
| The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta — outside the scope of WordPress's unfiltered_html carve-out — meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend. | ||||
| CVE-2026-13556 | 1 Itsourcecode | 1 Online Hotel Management System | 2026-06-29 | 4.3 Medium |
| A vulnerability was determined in itsourcecode Online Hotel Management System 1.0. This affects an unknown part of the file /admin/mod_users/controller.php?action=edit of the component POST Request Handler. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-13554 | 1 Itsourcecode | 1 Online Hotel Management System | 2026-06-29 | 4.3 Medium |
| A vulnerability has been found in itsourcecode Online Hotel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/mod_amenities/controller.php?action=add of the component POST Request Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-13536 | 1 Gotohttp | 1 Gotohttp | 2026-06-29 | 4.3 Medium |
| A vulnerability has been found in GotoHTTP up to 10.2. This issue affects some unknown processing of the file /reg.12x. The manipulation of the argument sn leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "We immediately removed unnecessary parameter echo from source code. However the URL in the issue description will never be used in browser nor exposed to user, so it will not bring secure problem in fact. So we don't upgrade server right now, it will be included in next version together with other features." | ||||
| CVE-2026-48940 | 1 Getk2 | 1 K2 Extension For Joomla | 2026-06-28 | 3.4 Low |
| A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page. | ||||
| CVE-2026-48942 | 1 Getk2 | 1 K2 Extension For Joomla | 2026-06-28 | 6.1 Medium |
| K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping. | ||||
| CVE-2026-13504 | 1 Code-projects | 1 Project Management System | 2026-06-28 | 3.5 Low |
| A vulnerability has been found in code-projects Project Management System 1.0. This vulnerability affects unknown code of the file /mail.php of the component Mail Compose Page. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-44696 | 1 Opf | 1 Openproject | 2026-06-27 | 5.7 Medium |
| OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0. | ||||
| CVE-2026-13083 | 1 Redhat | 1 Pdrive Lightspeed | 2026-06-27 | 6.9 Medium |
| A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report. | ||||
| CVE-2020-37256 | 1 Getgrav | 1 Grav-plugin-admin | 2026-06-27 | 5.4 Medium |
| Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access. | ||||
| CVE-2026-57322 | 2 Wedevs, Wordpress | 2 Wemail, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions. | ||||
| CVE-2026-57650 | 2 Blockart, Wordpress | 2 Magazine Blocks, Wordpress | 2026-06-26 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in Magazine Blocks <= 1.8.3 versions. | ||||
| CVE-2026-56043 | 2 Cusrev, Wordpress | 2 Customer Reviews For Woocommerce, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Customer Reviews for WooCommerce <= 5.110.1 versions. | ||||
| CVE-2026-57617 | 2 Seedprod Llc, Wordpress | 2 Seedprod Pro, Wordpress | 2026-06-26 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in SeedProd Pro < 6.19.5 versions. | ||||
| CVE-2026-56072 | 2 Wordpress, Xtemos | 2 Wordpress, Woodmart | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in WoodMart <= 8.5.3 versions. | ||||
| CVE-2026-57312 | 2 Wordpress, Wpeverest | 2 Wordpress, Everest Forms | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Everest Forms <= 3.4.8 versions. | ||||
| CVE-2026-57313 | 2 Surecart, Wordpress | 2 Surecart, Wordpress | 2026-06-26 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions. | ||||
| CVE-2026-57317 | 2 Nsquared, Wordpress | 2 Simply Schedule Appointments, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.12.2 versions. | ||||
| CVE-2026-57319 | 2 Realmag777, Wordpress | 2 Fox, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in FOX <= 1.4.8 versions. | ||||
| CVE-2026-56044 | 2 Adenion, Wordpress | 2 Blog2social, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Blog2Social <= 8.9.2 versions. | ||||