Export limit exceeded: 47215 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47215 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-57329 2 Woocommerce Designer Pro, Wordpress 2 Woocommerce Designer Pro, Wordpress 2026-07-01 6.5 Medium
Subscriber Cross Site Scripting (XSS) in WooCommerce Designer Pro <= 1.9.34 versions.
CVE-2026-57326 2 Strategy11team, Wordpress 2 Business Directory Plugin, Wordpress 2026-07-01 6.5 Medium
Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
CVE-2026-57328 2 Strategy11team, Wordpress 2 Business Directory Plugin, Wordpress 2026-07-01 6.5 Medium
Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
CVE-2026-57330 2 Stylemixthemes, Wordpress 2 Masterstudy Lms, Wordpress 2026-07-01 6.5 Medium
Subscriber Cross Site Scripting (XSS) in MasterStudy LMS <= 3.7.27 versions.
CVE-2026-57958 1 Inovector 1 Mixpost 2026-07-01 6.1 Medium
Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.
CVE-2026-12114 2 Wordpress, Wpmart 2 Wordpress, Team Members – Multi Language Supported Team Plugin 2026-07-01 4.4 Medium
The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2026-6953 1 Intermark It 1 Webcontrol Cms 2026-07-01 N/A
HTML injection vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to send an email containing malicious HTML code to a victim via the contact form. To exploit this vulnerability, the attacker must send a request using the 'nombreApellidos', 'dirección ', and 'comentarios ' parameters to '/processContact.do'.
CVE-2026-6954 1 Intermark It 1 Webcontrol Cms 2026-07-01 N/A
Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.
CVE-2026-8141 2 Connekt Media, Wordpress 2 Ajax Load More - Filters, Wordpress 2026-07-01 7.2 High
The Ajax Load More - Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'taxonomy_include_children' parameter in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-52760 1 Apache 2 Activemq, Activemq Web Console 2026-07-01 6.1 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
CVE-2026-8403 1 Eksagate 1 Sysguard 6001 2026-07-01 6.1 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. SYSGUARD 6001 allows Stored XSS. This issue affects SYSGUARD 6001: from 2.0.2 before 6.1.4.0.  NOTE: The vendor was contacted and it was learned that the product is not supported.
CVE-2026-11581 2 Wordpress, Wpchill 2 Wordpress, Kali Forms — Contact Form & Drag-and-drop Builder 2026-07-01 5.9 Medium
The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.
CVE-2026-11589 2 Wordpress, Wpsupportplus 2 Wordpress, Wp Support Plus Responsive Ticket System 2026-07-01 8.8 High
The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.
CVE-2026-13554 1 Itsourcecode 1 Online Hotel Management System 2026-06-30 4.3 Medium
A vulnerability has been found in itsourcecode Online Hotel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/mod_amenities/controller.php?action=add of the component POST Request Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-13504 1 Code-projects 1 Project Management System 2026-06-30 3.5 Low
A vulnerability has been found in code-projects Project Management System 1.0. This vulnerability affects unknown code of the file /mail.php of the component Mail Compose Page. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
CVE-2026-13536 1 Gotohttp 1 Gotohttp 2026-06-30 4.3 Medium
A vulnerability has been found in GotoHTTP up to 10.2. This issue affects some unknown processing of the file /reg.12x. The manipulation of the argument sn leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "We immediately removed unnecessary parameter echo from source code. However the URL in the issue description will never be used in browser nor exposed to user, so it will not bring secure problem in fact. So we don't upgrade server right now, it will be included in next version together with other features."
CVE-2026-43735 1 Apple 3 Ios And Ipados, Macos, Safari 2026-06-30 8.1 High
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
CVE-2026-3644 1 Python 2 Cpython, Python 2026-06-30 7.5 High
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
CVE-2026-50229 1 Apache 1 Tomcat 2026-06-30 6.1 Medium
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
CVE-2026-8896 2 Mirsoftware, Wordpress 2 Mir Blocks And Shortcodes, Wordpress 2026-06-30 6.4 Medium
The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes inside the msc_stats() rendering function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.