Export limit exceeded: 20087 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 363304 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 47131 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47131 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-36826 2026-04-15 3.5 Low
A vulnerability was found in AwesomestCode LiveBot. It has been classified as problematic. Affected is the function parseSend of the file js/parseMessage.js. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. Upgrading to version 0.1 is able to address this issue. The name of the patch is 57505527f838d1e46e8f93d567ba552a30185bfa. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-257784.
CVE-2020-36827 2026-04-15 5.4 Medium
The XAO::Web module before 1.84 for Perl mishandles < and > characters in JSON output during use of json-embed in Web::Action.
CVE-2020-36828 2026-04-15 3.5 Low
A vulnerability was found in DiscuzX up to 3.4-20200818. It has been classified as problematic. Affected is the function show_next_step of the file upload/install/include/install_function.php. The manipulation of the argument uchidden leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 3.4-20210119 is able to address this issue. The name of the patch is 4a9673624f46f7609486778ded9653733020c567. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-258612.
CVE-2020-36998 1 Forma 1 E-learning Suite 2026-04-15 6.4 Medium
Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization.
CVE-2020-37003 2 Sellacious, Totalshopuk 2 Ecommerce, Ecommerce 2026-04-15 6.4 Medium
Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules.
CVE-2021-27961 2026-04-15 6.5 Medium
evesys 7.1 (2152) through 8.0 (2202) allows Reflected XSS via the indexeva.php action parameter.
CVE-2020-37087 1 Rubikon Teknoloji 1 Easy Transfer 2026-04-15 N/A
Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters in Create Folder and Move/Edit functions. Attackers can exploit improper input validation via POST requests to execute arbitrary JavaScript in the context of the mobile web application.
CVE-2020-37092 1 Netis-systems 1 Netis E1+ 2026-04-15 7.5 High
Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device.
CVE-2020-37135 3 Amss++ Project, Amss\+\+ Project, Amssplus 3 Amss++, Amss\+\+, Amss Plus 2026-04-15 7.5 High
AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system.
CVE-2020-37148 1 P5 2 Fnip-4xsh, Fnip-8x16a 2026-04-15 3.5 Low
P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.
CVE-2020-37014 1 Tryton 2 Tryton, Trytond 2026-04-15 6.4 Medium
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.
CVE-2020-37018 1 Goautodial 2 Goautodial, Goautodial Api 2026-04-15 6.4 Medium
GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedded JavaScript that will execute when an administrator reads the message, potentially stealing session cookies or executing client-side attacks.
CVE-2020-37019 1 Orchardcore 2 Orchard Core, Orchardcore 2026-04-15 6.4 Medium
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers.
CVE-2020-37022 2 Openz, Sap 2 Erp, Erp 2026-04-15 6.4 Medium
OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules.
CVE-2025-49945 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kylegetson Shortcode Generator shortcode-generator allows Reflected XSS.This issue affects Shortcode Generator: from n/a through <= 1.1.
CVE-2025-22373 2026-04-15 N/A
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SicommNet BASEC on SaaS allows Reflected XSS, XSS Through HTTP Query Strings, Rendering of Arbitrary HTML and alternation of CSS Styles This issue affects BASEC: from 14 Dec 2021.
CVE-2025-22491 2026-04-15 6.7 Medium
The user input was not sanitized on Reporting Hierarchy Management page of Foreseer Reporting Software (FRS) application which could lead into execution of arbitrary JavaScript in a browser context for all the interacting users. This security issue has been patched in the latest version 1.5.100 of the FRS.
CVE-2025-22769 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Creative Brahma Multifox allows Stored XSS.This issue affects Multifox: from n/a through 1.3.7.
CVE-2025-22872 2026-04-15 6.5 Medium
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
CVE-2025-22888 2026-04-15 N/A
Movable Type contains a stored cross-site scripting vulnerability in the custom block edit page of MT Block Editor. If exploited, an arbitrary script may be executed on a logged-in user's web browser.