Export limit exceeded: 47391 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47391 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-11019 2 Totalcms, Totaljs 3 Total Cms, Total.js, Total.js Cms 2026-01-16 2.4 Low
A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-42886 1 Sap 1 Business Connector 2026-01-16 6.1 Medium
Due to a Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim accesses this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser context. This could allow the attacker to access or modify information within the victim�s browser scope, impacting confidentiality and integrity, while availability remains unaffected
CVE-2023-3666 2 Maevelander, Wordpress 2 Sticky Side Buttons, Wordpress 2026-01-16 3.3 Low
The Sticky Side Buttons WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2025-64325 1 Emby 1 Emby 2026-01-15 9.0 Critical
Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated X-Emby-Client value, which gets added to the devices section of the admin dashboard without sanitization. This issue has been patched in version 4.8.1.0 and Beta version 4.9.0.0-beta.
CVE-2022-44349 1 Navblue 1 N-ops \& Crew 2026-01-15 5.4 Medium
NAVBLUE S.A.S N-Ops & Crew 22.5-rc.50 is vulnerable to Cross Site Scripting (XSS).
CVE-2025-63211 1 Bridgetech 2 Vbc Server, Vbc Server Element Manager 2026-01-15 6.1 Medium
Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint.
CVE-2023-26692 1 Zcbs 3 Zbbs, Zcbs, Zpbs 2026-01-15 6.1 Medium
ZCBS Zijper Collectie Beheer Systeem (ZCBS), Zijper Publication Management System (ZPBS), and Zijper Image Bank Management System (ZBBS) 4.14k is vulnerable to Cross Site Scripting (XSS).
CVE-2025-65026 2 Esm, Esm-dev 2 Esm.sh, Esmsh 2026-01-15 6.1 Medium
esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136.
CVE-2025-33222 1 Nvidia 1 Isaac Launchable 2026-01-15 9.8 Critical
NVIDIA Isaac Launchable contains a vulnerability where an attacker could exploit a hard-coded credential issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering.
CVE-2025-3999 1 Seeyon 1 Oa Web Application System 2026-01-15 3.5 Low
A vulnerability, which was classified as problematic, has been found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. This issue affects some unknown processing of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\common\js\addDate\date.jsp of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-4000 1 Seeyon 1 Oa Web Application System 2026-01-15 3.5 Low
A vulnerability, which was classified as problematic, was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. Affected is an unknown function of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\ssoproxy\jsp\ssoproxy.jsp. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-0324 1 Axis 2 Axis Os, Axis Os 2024 2026-01-15 9.4 Critical
The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.
CVE-2023-45832 1 Northernbeacheswebsites 1 Wp Gotowebinar 2026-01-15 5.9 Medium
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Martin Gibson WP GoToWebinar plugin <= 14.45 versions.
CVE-2025-15372 1 Youlai 1 Vue3-element-admin 2026-01-15 2.4 Low
A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-55126 2 Aquaplatform, Revive 2 Revive Adserver, Adserver 2026-01-14 N/A
HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving the navigation box at the top of advertiser-related pages, with campaign names being the vector for the stored XSS
CVE-2025-63872 1 Deepseek 2 Deepseek, Deepseek-v3 2026-01-14 6.1 Medium
DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, which allows JavaScript execution through model-generated SVG content.
CVE-2022-26138 1 Atlassian 3 Confluence Data Center, Confluence Server, Questions For Confluence 2026-01-14 9.8 Critical
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
CVE-2025-6235 1 Extremenetworks 1 Extremecontrol 2026-01-14 6.1 Medium
In ExtremeControl before 25.5.12, a cross-site scripting (XSS) vulnerability was discovered in a login interface of the affected application. The issue stems from improper handling of user-supplied input within HTML attributes, allowing an attacker to inject script code that may execute in a user's browser under specific interaction conditions. Successful exploitation could lead to exposure of user data or unauthorized actions within the browser context.
CVE-2025-36747 1 Growatt 3 Shine Lan-x, Shine Lan-x Firmware, Shinelan-x 2026-01-14 9.8 Critical
ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.
CVE-2025-36748 1 Growatt 3 Shine Lan-x, Shine Lan-x Firmware, Shinelan-x 2026-01-14 5.4 Medium
ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.