Export limit exceeded: 47138 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47138 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-3798 2026-04-15 N/A
Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery. This issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable.  Phoniebox in version 3.0 and higher are not affected.
CVE-2024-5485 1 Suretriggers 1 Suretriggers 2026-04-15 6.4 Medium
The SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Trigger Link shortcode in all versions up to, and including, 1.0.47 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5501 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_one_id’ parameter in all versions up to, and including, 2.5.51 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5584 2026-04-15 6.4 Medium
The WordPress Online Booking and Scheduling Plugin – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Color Profile parameter in all versions up to, and including, 23.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with the staff member role and Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-55864 1 Wordpress 1 Wordpress 2026-04-15 N/A
Cross-site scripting vulnerability exists in My WP Customize Admin/Frontend versions prior to ver 1.24.1. If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the page.
CVE-2024-55878 2026-04-15 6.8 Medium
SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in version 1.0.12 and prior to version 1.1.12, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Version 1.1.12 fixes the issue. As a workaround, don't use direct publication via toHTMLEx.
CVE-2024-4859 2026-04-15 5.7 Medium
Solidus <= 4.3.4 is affected by a Stored Cross-Site Scripting vulnerability in the order tracking URL.
CVE-2024-48569 1 Aci Worldwide 1 Proactive Risk Manager 2026-04-15 5.4 Medium
Proactive Risk Manager version 9.1.1.0 is affected by multiple Cross-Site Scripting (XSS) vulnerabilities in the add/edit form fields, at the urls starting with the subpaths: /ar/config/configuation/ and /ar/config/risk-strategy-control/
CVE-2024-48539 1 Netdvr 1 Neye3c 2026-04-15 9.8 Critical
Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism.
CVE-2024-4849 2 Valvepress, Wordpress 2 Wordpress Automatic Plugin, Wordpress 2026-04-15 6.4 Medium
The WordPress Automatic Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘autoplay’ parameter in all versions up to, and including, 3.94.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-38356 1 Tinymce 1 Tinymce 2026-04-15 6.1 Medium
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the `noneditable_regexp` option, any content within an attribute is properly verified to match the configured regular expression before being added. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-38357 1 Tinymce 1 Tinymce 2026-04-15 6.1 Medium
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-38364 2026-04-15 2.6 Low
DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.
CVE-2024-48461 1 Telsalogger 1 Admin Panel 2026-04-15 4.8 Medium
Cross Site Scripting vulnerability in TeslaLogger Admin Panel before v.1.59.6 allows a remote attacker to execute arbitrary code via the New Journey field.
CVE-2024-48448 1 Huly 1 Huly 2026-04-15 6.1 Medium
An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page.
CVE-2024-4844 2026-04-15 7.5 High
Hardcoded credentials vulnerability in Trellix ePolicy Orchestrator (ePO) on Premise prior to 5.10 Service Pack 1 Update 2 allows an attacker with admin privileges on the ePO server to read the contents of the orion.keystore file, allowing them to access the ePO database encryption key. This was possible through using a hard coded password for the keystore. Access Control restrictions on the file mean this would not be exploitable unless the user is the system admin for the server that ePO is running on.
CVE-2024-48410 1 Camtrace 1 Camtrace 2026-04-15 6.1 Medium
Cross Site Scripting vulnerability in Camtrace v.9.16.2.1 allows a remote attacker to execute arbitrary code via the login.php.
CVE-2024-3929 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Widget Post Overlay block in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-39307 2026-04-15 3.5 Low
Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version 0.8.1.
CVE-2024-48396 1 Sohelamin 1 Chatbot 2026-04-15 6.1 Medium
AIML Chatbot 1.0 (fixed in 2.0) is vulnerable to Cross Site Scripting (XSS). The vulnerability is exploited through the message input field, where attackers can inject malicious HTML or JavaScript code. The chatbot fails to sanitize these inputs, leading to the execution of malicious scripts.