Export limit exceeded: 45960 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45960 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-46508 | 1 Yeti-platform | 1 Yeti | 2026-05-08 | 7.5 High |
| yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET). | ||||
| CVE-2023-42343 | 1 Alkacon | 1 Opencms | 2026-05-08 | 6.1 Medium |
| A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type. | ||||
| CVE-2023-42345 | 1 Alkacon | 1 Opencms | 2026-05-08 | 6.1 Medium |
| A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. | ||||
| CVE-2026-27694 | 1 Traccar | 1 Traccar | 2026-05-08 | 5.4 Medium |
| Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0. | ||||
| CVE-2026-42086 | 1 Openc3 | 1 Cosmos | 2026-05-08 | 4.6 Medium |
| OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0. | ||||
| CVE-2026-42794 | 1 Absinthe-graphql | 1 Absinthe Plug | 2026-05-08 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0. | ||||
| CVE-2026-35453 | 1 Phpoffice | 1 Phpspreadsheet | 2026-05-08 | 5.4 Medium |
| PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. | ||||
| CVE-2026-38432 | 2 Erpnext, Frappe | 2 Erpnext, Erpnext | 2026-05-08 | 6.1 Medium |
| ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied. | ||||
| CVE-2026-32851 | 1 Mailenable | 1 Mailenable | 2026-05-08 | 6.1 Medium |
| MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript. | ||||
| CVE-2026-41929 | 1 Givanz | 1 Vvveb | 2026-05-08 | 6.1 Medium |
| Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization. | ||||
| CVE-2025-68900 | 2 Kriesi, Wordpress | 2 Enfold, Wordpress | 2026-05-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold allows DOM-Based XSS. This issue affects Enfold: from n/a through 7.1.3. | ||||
| CVE-2026-8117 | 1 Sourcecodester | 1 Pizzafy Ecommerce System | 2026-05-08 | 4.3 Medium |
| A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument page leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-5341 | 2 Mirceatm, Wordpress | 2 Nmr Strava Activities, Wordpress | 2026-05-08 | 6.4 Medium |
| The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-41653 | 1 Alam00000 | 1 Bentopdf | 2026-05-07 | N/A |
| BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8.3. | ||||
| CVE-2025-31970 | 2 Hcl, Hcltech | 2 Dfxanalytics, Dfxanalytics | 2026-05-07 | 5.3 Medium |
| HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS) | ||||
| CVE-2025-59854 | 2 Hcl, Hcltech | 2 Dfxanalytics, Dfxanalytics | 2026-05-07 | 3.1 Low |
| HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a robust Content Security Policy (CSP). | ||||
| CVE-2026-8032 | 1 Picotronica | 1 E-clinic Healthcare System Echs | 2026-05-07 | 7.3 High |
| A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation of the argument ADMIN_KEY causes hard-coded credentials. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 5.7.1 is sufficient to resolve this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | ||||
| CVE-2026-40171 | 3 Jupyter, Jupyter-notebook, Jupyterlab | 4 Jupyterlab, Notebook, Help-extension and 1 more | 2026-05-07 | N/A |
| In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration. | ||||
| CVE-2025-62127 | 2 Wen Themes, Wordpress | 2 Wen Logo Slider, Wordpress | 2026-05-07 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WEN Themes WEN Logo Slider allows DOM-Based XSS. This issue affects WEN Logo Slider: from n/a through 3.4.0. | ||||
| CVE-2026-3953 | 1 Gosoft Software | 1 Proticaret E-commerce | 2026-05-07 | 8.8 High |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce allows Cross-Site Scripting (XSS), Reflected XSS. This issue affects Proticaret E-Commerce: from v5.0.0 before V 6.0.1767.1383. | ||||