Export limit exceeded: 43889 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (43889 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-25051 | 1 N8n | 1 N8n | 2026-02-05 | 5.4 Medium |
| n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2. | ||||
| CVE-2026-22232 | 2 Opexus, Opexustech | 2 Ecase Audit, Ecase Audit | 2026-02-05 | 5.5 Medium |
| OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0. | ||||
| CVE-2026-22231 | 2 Opexus, Opexustech | 2 Ecase Audit, Ecase Audit | 2026-02-05 | 5.5 Medium |
| OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0. | ||||
| CVE-2026-22233 | 2 Opexus, Opexustech | 2 Ecase Audit, Ecase Audit | 2026-02-05 | 5.5 Medium |
| OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0. | ||||
| CVE-2025-41024 | 2 Nikhil-bhalerao, Poultry Farm Management System Project | 2 Poultry Farm Management System, Poultry Farm Management System | 2026-02-05 | 5.4 Medium |
| Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: 'companyaddress', 'companyemail', 'companyname', 'country', 'mobilenumber' y 'regno' parameters in '/farm/farmprofile.php'. | ||||
| CVE-2025-41025 | 2 Nikhil-bhalerao, Poultry Farm Management System Project | 2 Poultry Farm Management System, Poultry Farm Management System | 2026-02-05 | 5.4 Medium |
| Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: 'category' y 'product' parameters in '/farm/sell_product.php'. | ||||
| CVE-2026-24346 | 2 Actions-micro, Nimbletech | 4 Ezcast Pro Ii, Ezcast Pro Ii Firmware, Ezcast Pro Dongle Ii and 1 more | 2026-02-05 | 9.1 Critical |
| Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application | ||||
| CVE-2026-24348 | 2 Actions-micro, Nimbletech | 4 Ezcast Pro Ii, Ezcast Pro Ii Firmware, Ezcast Pro Dongle Ii and 1 more | 2026-02-05 | 6.1 Medium |
| Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users. | ||||
| CVE-2025-52344 | 1 Explorance | 1 Blue | 2026-02-05 | 6.1 Medium |
| Multiple Cross Site Scripting (XSS) vulnerabilities in input fields in Explorance Blue 8.1.2 allows attackers to inject arbitrary JavaScript code on the user's browser via the Group name and Project Description input fields. | ||||
| CVE-2025-63073 | 2 Dream-theme, Wordpress | 2 The7, Wordpress | 2026-02-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS.This issue affects The7: from n/a through <= 12.8.0.2. | ||||
| CVE-2025-63420 | 1 Crushftp | 1 Crushftp | 2026-02-05 | 4.1 Medium |
| CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions. | ||||
| CVE-2026-20111 | 1 Cisco | 1 Prime Infrastructure | 2026-02-05 | 4.8 Medium |
| A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | ||||
| CVE-2026-0742 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 6.4 Medium |
| The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0681 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 4.4 Medium |
| The Extended Random Number Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-0743 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 4.4 Medium |
| The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-21393 | 2 Six Apart, Six Apart Ltd | 2 Movable Type, Movable Type | 2026-02-04 | N/A |
| Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | ||||
| CVE-2026-22875 | 2 Six Apart, Six Apart Ltd | 2 Movable Type, Movable Type | 2026-02-04 | N/A |
| Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | ||||
| CVE-2026-0873 | 1 Ercom | 1 Cryptobox | 2026-02-04 | N/A |
| On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator. | ||||
| CVE-2026-1819 | 1 Karel | 1 Viport | 2026-02-04 | 8.8 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026. | ||||
| CVE-2025-64174 | 1 Openmage | 1 Magento | 2026-02-04 | 4.8 Medium |
| Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0. | ||||