Export limit exceeded: 47242 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47242 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-53662 | 1 Immich-app | 1 Immich | 2026-06-23 | 9.6 Critical |
| immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003. | ||||
| CVE-2016-20084 | 2 Dwbooster, Wordpress | 2 Booking Calendar Contact, Wordpress | 2026-06-23 | 7.2 High |
| WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScript into the 'ict' and 'ics' options or the calendar 'name' parameter via GET requests to execute arbitrary scripts when the calendar is displayed or accessed in the administration interface. | ||||
| CVE-2026-5233 | 1 Mia Technology | 1 Pizzy Library | 2026-06-23 | 7.1 High |
| Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. | ||||
| CVE-2025-15658 | 2 Rewish, Wordpress | 2 Wp Emmet, Wordpress | 2026-06-23 | 5.9 Medium |
| Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions. | ||||
| CVE-2025-15659 | 2 Liseperu, Wordpress | 2 Elizaibots, Wordpress | 2026-06-23 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions. | ||||
| CVE-2026-49294 | 1 Valhalla | 1 Valhalla | 2026-06-23 | 6.1 Medium |
| Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication. | ||||
| CVE-2025-68840 | 2 Markbeljaars, Wordpress | 2 Irobots.txt Seo, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions. | ||||
| CVE-2025-68851 | 2 Arrayhq, Wordpress | 2 Okay Toolkit, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions. | ||||
| CVE-2025-68872 | 2 Eli, Wordpress | 2 Eli's Wordcents Adsense Widget With Analytics, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions. | ||||
| CVE-2026-39507 | 2 Themeisle, Wordpress | 2 Social Slider Feed, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions. | ||||
| CVE-2026-39540 | 2 Amit Mittal, Wordpress | 2 Shipment Tracker For Woocommerce, Wordpress | 2026-06-23 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in Shipment Tracker for Woocommerce <= 1.5.3.2 versions. | ||||
| CVE-2026-42649 | 2 Archetyped, Wordpress | 2 Favicon Rotator, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions. | ||||
| CVE-2026-42650 | 2 Ruben Garcia, Wordpress | 2 Automatorwp, Wordpress | 2026-06-23 | 7.2 High |
| Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions. | ||||
| CVE-2026-42656 | 2 Wasiliy Strecker, Wordpress | 2 Contest Gallery, Wordpress | 2026-06-23 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in Contest Gallery <= 28.1.6 versions. | ||||
| CVE-2026-48871 | 2 Takashi Kitajima, Wordpress | 2 Mw Wp Form, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions. | ||||
| CVE-2026-48876 | 2 Web Guy, Wordpress | 2 Stop Spammers, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions. | ||||
| CVE-2026-48966 | 2 Funnelkit, Wordpress | 2 Funnel Builder By Funnelkit, Wordpress | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions. | ||||
| CVE-2026-52702 | 2 Wordpress, Wp-buy | 2 Wordpress, Seo Redirection | 2026-06-23 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions. | ||||
| CVE-2026-48157 | 1 Slimphp | 1 Slim | 2026-06-23 | 6.1 Medium |
| Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type. | ||||
| CVE-2026-10093 | 2 Deepakkite, Wordpress | 2 Secure Client Portal And Private File Sharing Plugin – User Private Files, Wordpress | 2026-06-23 | 6.4 Medium |
| The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||