Export limit exceeded: 47293 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47293 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-66484 1 Ibm 1 Aspera Shares 2026-04-07 5.5 Medium
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2026-34812 1 Endian 2 Firewall, Firewall Community 2026-04-07 6.4 Medium
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the mimetypes parameter to /cgi-bin/proxypolicy.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34813 1 Endian 2 Firewall, Firewall Community 2026-04-07 6.4 Medium
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the user parameter to /cgi-bin/proxyuser.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34814 1 Endian 2 Firewall, Firewall Community 2026-04-07 6.4 Medium
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the group parameter to /cgi-bin/proxygroup.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34815 1 Endian 2 Firewall, Firewall Community 2026-04-07 6.4 Medium
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the DOMAIN parameter to /cgi-bin/smtpdomains.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34816 1 Endian 2 Firewall, Firewall Community 2026-04-07 6.4 Medium
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the domain parameter to /manage/smtpscan/domainrouting/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34817 1 Endian 2 Firewall, Firewall Community 2026-04-07 6.4 Medium
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34974 2 Phpmyfaq, Thorsten 2 Phpmyfaq, Phpmyfaq 2026-04-07 5.4 Medium
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG <a href> attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.
CVE-2026-28754 1 Zohocorp 1 Manageengine Exchange Reporter Plus 2026-04-07 7.3 High
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.
CVE-2026-28756 1 Zohocorp 1 Manageengine Exchange Reporter Plus 2026-04-07 7.3 High
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.
CVE-2026-28703 1 Zohocorp 1 Manageengine Exchange Reporter Plus 2026-04-07 7.3 High
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report.
CVE-2026-3879 1 Zohocorp 1 Manageengine Exchange Reporter Plus 2026-04-07 7.3 High
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report.
CVE-2026-3880 1 Zohocorp 1 Manageengine Exchange Reporter Plus 2026-04-07 7.3 High
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.
CVE-2026-4107 1 Zohocorp 1 Manageengine Exchange Reporter Plus 2026-04-07 7.3 High
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.
CVE-2026-4108 1 Zohocorp 1 Manageengine Exchange Reporter Plus 2026-04-07 7.3 High
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.
CVE-2026-27655 1 Zohocorp 1 Manageengine Exchange Reporter Plus 2026-04-07 7.3 High
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions Based on Mailboxes report.
CVE-2025-70128 1 Pluxml 1 Pluxml 2026-04-07 6.1 Medium
A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability.
CVE-2008-3511 1 Softbizscripts 1 Image Gallery Script 2026-04-06 N/A
Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Image Gallery (Photo Gallery) allow remote attackers to inject arbitrary web script or HTML via the (1) latest parameter to (a) index.php, (b) images.php, (c) suggest_image.php, and (d) image_desc.php; and the (2) msg parameter to index.php, images.php, and suggest_image.php, and (e) index.php, (f) adminhome.php, (g) config.php, (h) changepassword.php, (i) cleanup.php, (j) browsecats.php, and (k) images.php in admin/. NOTE: the image_desc.php/msg vector is covered by CVE-2006-1660. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-6124 1 Softbizscripts 1 Freelancers Script 2026-04-06 N/A
Cross-site scripting (XSS) vulnerability in signin.php in Softbiz Freelancers Script 1 allows remote attackers to inject arbitrary web script or HTML via the errmsg parameter.
CVE-2017-6054 1 Hyundai 1 Blue Link 2026-04-06 7.5 High
A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information.