CVE Daily
← All tags

Tag: Cross-site Scripting (XSS)

All CVEs associated with "Cross-site Scripting (XSS)". Page 22/397 • 47635 CVEs.

Subscribe CVEs: RSS for “Cross-site Scripting (XSS)”  ·  RSS (High+Critical only)

About “Cross-site Scripting (XSS)”

A curated feed of “Cross-site Scripting (XSS)”-related CVEs appears below. We currently track 47635 CVEs for this tag (all time). In the last 365 days, 7582 were published. Average CVSS is 5.6 (all time; 5.9 over 365d), and 11% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-352 - Cross-Site Request Forgery (CSRF), CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-02-02
High

CVE-2025-15396

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2026-25200

A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Low

CVE-2026-1744

A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-02-01
Medium

CVE-2023-54343

QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can e…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2022-50952

Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST requ…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2022-50951

WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit th…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2022-50942

Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the Eve…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2022-50940

Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. Attackers can exploit the vu…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2022-50797

Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. Attackers can explo…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47920

WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. Attackers can exploit the filterSearch and filt…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47919

Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitra…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47917

Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and ed…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47914

PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. Attackers can e…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47913

PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execu…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47912

PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated p…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47911

Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabilities in the index module's input fields. Attackers can inject malicious scripts through fullname, username, and email par…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47908

Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerabili…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47885

Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vuln…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47856

Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the searc…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-31
High

CVE-2025-14554

The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due t…

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-30
High

CVE-2026-25156

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’…

CVSS: 7.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-37044

OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malici…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2026-1705

A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argu…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2026-1700

A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message caus…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-37022

OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , e…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-37019

Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with emb…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-37014

Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-37003

Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36998

Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name,…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36996

PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScr…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36966

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-24855

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privile…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-9226

Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details.

CVSS: 4.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-29
Medium

CVE-2025-15549

FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-69749

Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2026-1598

A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Informatio…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-7713

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS T…

CVSS: 7.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-37018

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedd…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1469

Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting malicious payload through the ‘comme…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-28
Critical

CVE-2026-24769

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated…

CVSS: 9.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-13984

Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before…

CVSS: 6.1 CWE: CWE-942 - Permissive Cross-domain Security Policy with Untrusted Domains View on NVD
Medium

CVE-2025-13983

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-13981

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Arti…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-13979

Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2.

CVSS: 5.4 CWE: CWE-267 - Privilege Defined With Unsafe Actions View on NVD
Medium

CVE-2026-0749

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 thr…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-70336

A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' a…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2026-1520

A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-14865

The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36993

LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36988

PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters.…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1399

The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1391

The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on…

CVSS: 5.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-0483

Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72. An attacker can upload a malicious PDF file containing an XSS payload…

CVSS: 6.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-59901

Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent…

CVSS: 8.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2025-59900

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an a…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-59899

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an a…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-59898

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an a…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-59897

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an a…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-59896

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an a…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-14283

The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Cou…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-14063

The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.9.9.1 due to insufficient in…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1381

The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1053

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1466

Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1295

The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insuf…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1244

The Forms Bridge – Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-9082

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input saniti…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-14039

The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and includ…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-12709

The Interactions – Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1083

The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-8072

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient inp…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-27
Medium

CVE-2026-24771

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of th…

CVSS: 4.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36978

Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name,…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-24348

Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users.

CVSS: 6.1 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2026-24824

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is ass…

CVSS: 6.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2026-24490

MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute…

CVSS: 8.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-26
Medium

CVE-2026-24476

Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2026-1444

A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such m…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-11687

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-70368

Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then re…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-24433

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation al…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1446

There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the applica…

CVSS: 5.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36960

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<s…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36956

Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36955

Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attacke…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36954

Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1429

Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browse…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-14316

The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be…

CVSS: 7.1 CWE: N/A View on NVD
Low

CVE-2026-1421

A vulnerability has been found in code-projects Online Examination System 1.0. Affected is an unknown function of the component Add Pages. Such manipulation leads to cross site scripting. The attack…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-25
Medium

CVE-2020-36932

SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users'…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-36931

Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat na…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-24
Medium

CVE-2026-0862

The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions up to, and including, 4.5.5 due to insufficient inp…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1302

The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and ou…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1300

The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input san…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1266

The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output esc…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1191

The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitizati…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1189

The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1127

The Timeline Event History plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `id` parameter in all versions up to, and including, 3.2 due to insufficient input sanitization…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1098

The CM CSS Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' shortcode attribute in all versions up to, and including, 1.2.1 due to insufficient input sanitizati…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2026-0800

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including…

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1099

The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'login' and 'logout' shortcode attributes in all versions up to, and including, 0.3.4 due to in…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1097

The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up t…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1095

The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitizat…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-1084

The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-14985

The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitizati…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-14941

The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on m…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-14797

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to t…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-13676

The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output es…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-12836

The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.23 due to insufficient input sa…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-24128

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-23
Medium

CVE-2026-24127

Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-70458

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-71177

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or J…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-67231

A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload.

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47906

BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-47905

MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interfac…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2021-47897

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when…

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2021-47892

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads th…

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2018-25132

MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script p…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2018-25116

MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD