Search Results (47191 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-10570 2026-07-08 6.4 Medium
The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symp_arfe_replace_content() function, which uses str_replace() to substitute raw ACF field values (retrieved via get_field()) directly into Elementor-rendered HTML without any escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-31366 1 Fortinet 3 Fortios, Fortiproxy, Fortisase 2026-07-08 4.5 Medium
An Improper Neutralization of Input During Web Page Generation vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSASE 25.2.a may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) via crafted HTTP requests.
CVE-2026-59711 1 Showdownjs 1 Showdown 2026-07-08 6.1 Medium
showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.
CVE-2026-14001 1 Google 1 Chrome 2026-07-08 6.1 Medium
Inappropriate implementation in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
CVE-2025-8591 1 Wso2 16 Api Control Plane, Api Manager, Identity Server and 13 more 2026-07-08 6.1 Medium
The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking.
CVE-2026-59710 1 Showdownjs 1 Showdown 2026-07-08 6.1 Medium
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.
CVE-2026-37270 2026-07-08 N/A
Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.
CVE-2026-13957 1 Google 1 Chrome 2026-07-08 4.2 Medium
Incorrect security UI in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-14000 1 Google 1 Chrome 2026-07-08 6.1 Medium
Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-14145 1 Google 1 Chrome 2026-07-08 6.1 Medium
Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-14147 1 Google 1 Chrome 2026-07-08 6.1 Medium
Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-55437 1 Coder 1 Coder 2026-07-08 5.4 Medium
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.
CVE-2025-12799 1 Redhat 3 Jboss Enterprise Application Platform, Jbosseapxp, Red Hat Single Sign On 2026-07-08 6.5 Medium
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.
CVE-2026-48951 2026-07-07 N/A
Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.
CVE-2026-48953 2026-07-07 N/A
Lack of escaping leads to an XSS vulnerability in the generic image output layout.
CVE-2026-48949 2026-07-07 N/A
Lack of validation leads to an XSS vulnerability in the MFA management views.
CVE-2026-48954 2026-07-07 N/A
Improper validation leads to a generic XSS vector in the language override feature.
CVE-2026-48950 2026-07-07 N/A
Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.
CVE-2026-48952 2026-07-07 N/A
Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.
CVE-2026-13374 1 Watchguard 1 Fireware Os 2026-07-07 N/A
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13937. This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.