Export limit exceeded: 47193 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47193 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-14000 | 1 Google | 1 Chrome | 2026-07-08 | 6.1 Medium |
| Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-14145 | 1 Google | 1 Chrome | 2026-07-08 | 6.1 Medium |
| Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-14147 | 1 Google | 1 Chrome | 2026-07-08 | 6.1 Medium |
| Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-55437 | 1 Coder | 1 Coder | 2026-07-08 | 5.4 Medium |
| Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available. | ||||
| CVE-2025-12799 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jbosseapxp, Red Hat Single Sign On | 2026-07-08 | 6.5 Medium |
| A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling. | ||||
| CVE-2026-48951 | 2026-07-07 | N/A | ||
| Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components. | ||||
| CVE-2026-48953 | 2026-07-07 | N/A | ||
| Lack of escaping leads to an XSS vulnerability in the generic image output layout. | ||||
| CVE-2026-48949 | 2026-07-07 | N/A | ||
| Lack of validation leads to an XSS vulnerability in the MFA management views. | ||||
| CVE-2026-48954 | 2026-07-07 | N/A | ||
| Improper validation leads to a generic XSS vector in the language override feature. | ||||
| CVE-2026-48950 | 2026-07-07 | N/A | ||
| Lack of escaping leads to an XSS vulnerability in the file management view of com_templates. | ||||
| CVE-2026-48952 | 2026-07-07 | N/A | ||
| Lack of escaping leads to an XSS vulnerability in the update list view of com_installer. | ||||
| CVE-2026-13374 | 1 Watchguard | 1 Fireware Os | 2026-07-07 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13937. This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2. | ||||
| CVE-2026-13375 | 1 Watchguard | 1 Fireware Os | 2026-07-07 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13938. This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2. | ||||
| CVE-2026-12731 | 2 Wedevs, Wordpress | 2 Wedocs: Ai Powered Knowledge Base, Docs, Documentation, Wiki & Ai Chatbot, Wordpress | 2026-07-07 | 6.4 Medium |
| The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sectionTitleTag' and 'articleTitleTag' Block Attributes in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-13040 | 2026-07-07 | 7.2 High | ||
| The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'real_val__' parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The submission endpoint is registered via wp_ajax_nopriv_submit_nex_form with no nonce verification, making it fully accessible to unauthenticated attackers without any CSRF token. | ||||
| CVE-2026-28737 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 8.7 High |
| Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer. | ||||
| CVE-2026-12948 | 2026-07-07 | N/A | ||
| A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79). | ||||
| CVE-2026-50133 | 1 Gohugo | 1 Hugo | 2026-07-07 | N/A |
| Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0. | ||||
| CVE-2026-12154 | 2 Widgetpack, Wordpress | 2 Reviews Widgets For Google, Tripadvisor, Yelp & Recommendations, Wordpress | 2026-07-07 | 6.4 Medium |
| The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_id' shortcode attribute of the [fbrev] shortcode in versions up to and including 2.7.3. This is due to insufficient input sanitization and output escaping in the Feed_Shortcode::fbrev() method, which passes the raw shortcode attribute through Feed_Old::get_feed() into the View::render() method, where it is echoed directly into the data-id HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-8309 | 2026-07-07 | 5.4 Medium | ||
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Reflected XSS. This issue affects Access Control System (GKS): before Version 2. | ||||