Search Results (47215 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-41539 2 Qnap, Qnap Systems Inc. 4 Qts, Quts Hero, Qts and 1 more 2026-06-30 6.1 Medium
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later
CVE-2024-11831 1 Redhat 34 Acm, Advanced Cluster Security, Ansible Automation Platform and 31 more 2026-06-29 5.4 Medium
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
CVE-2026-57320 2 Realmag777, Wordpress 2 Bear, Wordpress 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions.
CVE-2026-57337 2 Pluginops, Wordpress 2 Landing Page Builder, Wordpress 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Landing Page Builder <= 1.5.3.5 versions.
CVE-2026-54889 1 Leandrocp 1 Mdex 2026-06-29 N/A
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization. An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers. This issue affects mdex: from 0.8.3 before 0.13.2.
CVE-2026-57333 2 Spencer Haws, Wordpress 2 Link Whisper Free, Wordpress 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Link Whisper Free <= 0.9.4 versions.
CVE-2026-57336 2 Astoundify, Wordpress 2 Jobify, Wordpress 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Jobify <= 4.3.2 versions.
CVE-2026-57338 2 Reputeinfosystems, Wordpress 2 Arforms, Wordpress 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in ARForms <= 7.1.2 versions.
CVE-2025-68074 2 Ghozylab, Wordpress 2 Image Carousel, Wordpress 2026-06-29 6.5 Medium
Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.
CVE-2025-68075 2 Kerry, Wordpress 2 Bne Testimonials, Wordpress 2026-06-29 6.5 Medium
Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.
CVE-2026-56039 2 Wordpress, Wordpress.com 2 Wordpress, Quick Interest Slider 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Quick Interest Slider <= 3.1.6 versions.
CVE-2026-56040 2 Wordpress, Wordpress.com 2 Wordpress, Gutenverse Form 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Gutenverse Form <= 2.4.7 versions.
CVE-2026-56047 2 Perfmatters, Powered Kinsta + Generatepress Docs Changelog Feature Requests Legal Affiliate Contact, Wordpress 2 Perfmatters, Wordpress 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.3 versions.
CVE-2026-57325 2 Jellywp, Wordpress 2 Nanomag, Wordpress 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in NanoMag <= 1.8 versions.
CVE-2026-57618 2 Themeisle, Wordpress 2 Neve Pro, Wordpress 2026-06-29 6.5 Medium
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
CVE-2026-57638 2 Wordpress, Wpmanageninja 2 Wordpress, Fluent Booking 2026-06-29 6.5 Medium
Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions.
CVE-2026-57651 2 Nk, Wordpress 2 Ghost Kit, Wordpress 2026-06-29 6.5 Medium
Contributor Cross Site Scripting (XSS) in Ghost Kit <= 3.6.0 versions.
CVE-2026-57656 2 Peregrinethemes, Wordpress 2 Hester Core, Wordpress 2026-06-29 5.9 Medium
Author Cross Site Scripting (XSS) in Hester Core <= 1.1.8 versions.
CVE-2026-31928 1 Daktronics 3 Dmp-5000, Dmp-8000, Vfc-dmp-5000 2026-06-29 8.1 High
The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
CVE-2026-13335 2 Codepeople, Wordpress 2 Codepeople Post Map For Google Maps, Wordpress 2026-06-29 6.4 Medium
The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.