Export limit exceeded: 45839 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45839 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-26345 | 1 Spip | 1 Spip | 2026-04-16 | 5.4 Medium |
| SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen. | ||||
| CVE-2026-26223 | 1 Spip | 1 Spip | 2026-04-16 | 6.1 Medium |
| SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen. | ||||
| CVE-2026-23604 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/contentchecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-23606 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtRuleName parameter to /MailEssentials/pages/MailSecurity/advancedfiltering.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-23607 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spam Whitelist management interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtDescription parameter to /MailEssentials/pages/MailSecurity/Whitelist.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-23610 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP3 server login field within the JSON \"popServers\" payload to /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-23612 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_IPs parameter to /MailEssentials/pages/MailSecurity/ipdnsblocklist.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-23613 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the URI DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter to /MailEssentials/pages/MailSecurity/uridnsblocklist.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-23614 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework IP Exceptions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv2$txtIPDescription parameter to /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-23615 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework Email Exceptions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv4$txtEmailDescription parameter to /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-23616 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spoofing configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$AntiSpoofingGeneral1$TxtSmtpDesc parameter to /MailEssentials/pages/MailSecurity/AntiSpoofing.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-23619 | 1 Gfi | 2 Mailessentials, Mailessentials Ai | 2026-04-16 | 5.4 Medium |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Local Domains settings page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$Pv3$txtDescription parameter to /MailEssentials/pages/MailSecurity/general.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | ||||
| CVE-2026-27474 | 1 Spip | 1 Spip | 2026-04-16 | 6.1 Medium |
| SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen. | ||||
| CVE-2026-22357 | 2 Spencer Haws, Wordpress | 2 Link Whisper Free, Wordpress | 2026-04-16 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.9.2. | ||||
| CVE-2026-24955 | 2 Fox-themes, Wordpress | 2 Whizz Plugins, Wordpress | 2026-04-16 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Whizz Plugins whizz-plugins allows Reflected XSS.This issue affects Whizz Plugins: from n/a through <= 1.9. | ||||
| CVE-2026-2932 | 2 Yifang, Yifangcms | 2 Cms, Yifang | 2026-04-16 | 2.4 Low |
| A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D_adPosition.php of the component Extended Management Module. Performing a manipulation of the argument name/index results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-27742 | 1 Bludit | 1 Bludit | 2026-04-16 | 5.4 Medium |
| Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript into the content field of a post, which is stored and later rendered to other users without proper output encoding. When viewed, the injected script executes in the context of the victim’s browser, allowing session hijacking, credential theft, content manipulation, or other actions within the user’s privileges. | ||||
| CVE-2026-27568 | 1 Wwbn | 1 Avideo | 2026-04-16 | 6.1 Medium |
| WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. Version 21.0 contains a fix. As a workaround, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode. | ||||
| CVE-2026-27746 | 1 Spip | 2 Jeux, Spip | 2026-04-16 | 6.1 Medium |
| The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context. | ||||
| CVE-2026-31153 | 1 Bynder | 1 Bynder | 2026-04-16 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||