Export limit exceeded: 47196 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47196 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-34097 1 Guardian 1 Language-system 2026-07-06 4.6 Medium
Guardian language-system fails to sanitize the id GET parameter before inserting it into multiple HTML form action attributes in text_file.php (lines 94, 101, 323, 403, 826, 852). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.
CVE-2026-34098 1 Guardian 1 Language-system 2026-07-06 4.6 Medium
Guardian language-system fails to sanitize the id GET parameter before inserting it into HTML source and form action attributes in media.php (lines 119, 129). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.
CVE-2026-58263 1 Xdan 1 Jodit 2026-07-06 7.2 High
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.
CVE-2026-10089 2 Figureone, Wordpress 2 Insert Pages, Wordpress 2026-07-06 6.4 Medium
The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-10104 2 Nikhilgadhiya, Wordpress 2 Product Video Gallery For Woocommerce, Wordpress 2026-07-06 4.4 Medium
The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-69152 2 Themegoods, Wordpress 2 Artale | Wedding Photography Wordpress, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
CVE-2025-69153 2 Designthemes, Wordpress 2 Trendy Travel, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.
CVE-2025-69154 2 Designthemes, Wordpress 2 Spalab | Beauty Salon Wordpress Theme, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.
CVE-2025-69155 2 Designthemes, Wordpress 2 Fitness Zone Wordpress Theme, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.
CVE-2025-69156 2 Design Themes, Wordpress 2 Kids Zone - Children Wordpress Theme, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.
CVE-2026-27402 2 Designthemes, Wordpress 2 Kids Life | Children School Wordpress, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Kids Life | Children School WordPress <= 5.2 versions.
CVE-2026-27404 2 Designthemes, Wordpress 2 Lms, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in LMS <= 9.7 versions.
CVE-2026-27408 2 Imithemes, Wordpress 2 Nativechurch, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in NativeChurch <= 4.8.8.2 versions.
CVE-2026-27425 2 Themesuite, Wordpress 2 Automotive Listings, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions.
CVE-2026-27430 2 Tranmautritam, Wordpress 2 Thefox, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in TheFox <= 3.9.76 versions.
CVE-2026-57350 2 Andy Fragen, Wordpress 2 Wp Debugging, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WP Debugging <= 2.12.2 versions.
CVE-2026-57354 2 Crocoblock. Jetimpex Inc., Wordpress 2 Jetreviews, Wordpress 2026-07-06 6.5 Medium
Subscriber Cross Site Scripting (XSS) in JetReviews <= 3.0.0.1 versions.
CVE-2026-57357 2 Search Atlas Group, Wordpress 2 Search Atlas Seo, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions.
CVE-2026-57358 2 Sysbasics, Wordpress 2 Customize My Account For Woocommerce, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Customize My Account for WooCommerce <= 4.3.9 versions.
CVE-2026-57426 2 Chill Media Labs S.r.l., Wordpress 2 Modula - Pro, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Modula - PRO <= 2.10.8 versions.