Export limit exceeded: 363284 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47129 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-47873 | 1 Vestacp | 2 Control Panel, Vesta Control Panel | 2026-04-15 | 7.2 High |
| VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. | ||||
| CVE-2020-36931 | 1 Click2magic | 1 Click2magic | 2026-04-15 | 6.4 Medium |
| Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests. | ||||
| CVE-2020-3431 | 1 Cisco | 1 Small Business Rv Series Router Firmware | 2026-04-15 | 6.1 Medium |
| A vulnerability in the web-based management interface of Cisco Small Business RV042 Dual WAN VPN Routers and Cisco Small Business RV042G Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | ||||
| CVE-2020-36966 | 1 Dolibarr | 2 Dolibarr, Dolibarr Erp\/crm | 2026-04-15 | 6.4 Medium |
| Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information. | ||||
| CVE-2020-36960 | 1 Formalms | 1 Formalms | 2026-04-15 | 6.4 Medium |
| Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the profile is viewed by other users. | ||||
| CVE-2020-27478 | 1 Simplcommerce | 1 Simplcommerce | 2026-04-15 | 7.1 High |
| Cross Site Scripting vulnerability found in Simplcommerce v.40734964b0811f3cbaf64b6dac261683d256f961 thru 3103357200c70b4767986544e01b19dbf11505a7 allows a remote attacker to execute arbitrary code via a crafted script to the search bar feature. | ||||
| CVE-2020-36956 | 1 Igniterealtime | 1 Openfire | 2026-04-15 | 6.4 Medium |
| Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page. | ||||
| CVE-2020-36955 | 1 Getgrav | 4 Grav, Grav-plugin-admin, Grav Admin and 1 more | 2026-04-15 | 6.4 Medium |
| Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page is viewed in the admin panel or on the site. | ||||
| CVE-2021-27961 | 2026-04-15 | 6.5 Medium | ||
| evesys 7.1 (2152) through 8.0 (2202) allows Reflected XSS via the indexeva.php action parameter. | ||||
| CVE-2020-36915 | 2026-04-15 | 7.5 High | ||
| Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions. | ||||
| CVE-2020-36954 | 1 Xeroneit | 1 Library Management System | 2026-04-15 | 6.4 Medium |
| Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded. | ||||
| CVE-2020-36853 | 2 10web, Wordpress | 2 Map Builder For Google Maps, Wordpress | 2026-04-15 | 7.2 High |
| The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2020-36854 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the aj_steps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it possible for authenticated attackers with subscriber level permissions and above to inject malicious web scripts into a page that execute whenever a user accesses that page. | ||||
| CVE-2020-9322 | 1 Statamic | 1 Statamic | 2026-04-15 | 8.8 High |
| The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO. | ||||
| CVE-2020-26799 | 1 Luxsoft | 1 Luxcal | 2026-04-15 | 9.8 Critical |
| A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data. | ||||
| CVE-2020-37003 | 2 Sellacious, Totalshopuk | 2 Ecommerce, Ecommerce | 2026-04-15 | 6.4 Medium |
| Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules. | ||||
| CVE-2020-36998 | 1 Forma | 1 E-learning Suite | 2026-04-15 | 6.4 Medium |
| Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization. | ||||
| CVE-2020-36996 | 1 Php-fusion | 1 Phpfusion | 2026-04-15 | 6.4 Medium |
| PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers. | ||||
| CVE-2020-36988 | 1 Guidoneele | 1 Pdw File Browser | 2026-04-15 | 5.4 Medium |
| PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims' browsers when they access the file browser. | ||||
| CVE-2020-36978 | 1 Froxlor | 1 Froxlor | 2026-04-15 | 6.4 Medium |
| Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer traffic modules. | ||||