Export limit exceeded: 43876 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (43876 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-25375 | 1 Opnsense | 1 Opnsense | 2026-02-18 | 6.1 Medium |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers. | ||||
| CVE-2019-25376 | 1 Opnsense | 1 Opnsense | 2026-02-18 | 6.1 Medium |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers. | ||||
| CVE-2019-25377 | 1 Opnsense | 1 Opnsense | 2026-02-18 | 5.4 Medium |
| OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions. | ||||
| CVE-2026-25578 | 1 Navidrome | 1 Navidrome | 2026-02-18 | 6.1 Medium |
| Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0. | ||||
| CVE-2026-1796 | 2 Indextwo, Wordpress | 2 Stylebidet, Wordpress | 2026-02-18 | 6.1 Medium |
| The StyleBidet plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-1912 | 2 Ulaulaman, Wordpress | 2 Citations Tools, Wordpress | 2026-02-18 | 6.4 Medium |
| The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all versions up to, and including, 0.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-25616 | 2 Blesta, Phillipsdata | 2 Blesta, Blesta | 2026-02-18 | 4.7 Medium |
| Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. | ||||
| CVE-2026-23738 | 2 Asterisk, Sangoma | 3 Asterisk, Asterisk, Certified Asterisk | 2026-02-18 | 3.5 Low |
| Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | ||||
| CVE-2026-1164 | 2 Phoenixstudiodz, Wordpress | 2 Easy Voice Mail, Wordpress | 2026-02-18 | 6.1 Medium |
| The Easy Voice Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-1041 | 1 Oretnom23 | 1 Simple Responsive Tourism Website | 2026-02-18 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in SourceCodester Simple Responsive Tourism Website 1.0. This affects an unknown part of the file /tourism/rate_review.php. The manipulation of the argument id with the input 1"><script>alert(1111)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221799. | ||||
| CVE-2026-1843 | 2 Optimole, Wordpress | 2 Super Page Cache, Wordpress | 2026-02-18 | 7.2 High |
| The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1901 | 2 Questionpro, Wordpress | 2 Questionpro Surveys, Wordpress | 2026-02-18 | 6.4 Medium |
| The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1844 | 2 Pixelyoursite, Wordpress | 2 Pixelyoursite Pro – Your Smart Pixel (tag) Manager, Wordpress | 2026-02-18 | 7.2 High |
| The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1904 | 2 Nayon46, Wordpress | 2 Simple Wp Colorfull Accordion, Wordpress | 2026-02-18 | 6.4 Medium |
| The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1903 | 2 Shellbot, Wordpress | 2 Ravelry Designs Widget, Wordpress | 2026-02-18 | 6.4 Medium |
| The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb_ravelry_designs' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0736 | 2 Collectchat, Wordpress | 2 Chatbot For Wordpress By Collect.chat ⚡️, Wordpress | 2026-02-18 | 6.4 Medium |
| The Chatbot for WordPress by Collect.chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_inpost_head_script[synth_header_script]' post meta field in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1792 | 2 Owencutajar, Wordpress | 2 Geo Widget, Wordpress | 2026-02-18 | 6.1 Medium |
| The Geo Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL path in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0735 | 2 Webilop, Wordpress | 2 User Language Switch, Wordpress | 2026-02-18 | 4.4 Medium |
| The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab_color_picker_language_switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-1754 | 2 Alexeyknyazev, Wordpress | 2 Personal-authors-category, Wordpress | 2026-02-18 | 6.1 Medium |
| The personal-authors-category plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-1096 | 2 Raju Ahmed, Wordpress | 2 Best-wp-google-map, Wordpress | 2026-02-18 | 6.4 Medium |
| The Best-wp-google-map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'latitude' and 'longitudinal' parameters of the 'google_map_view' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||