Total
44772 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8886 | 2 Huankong, Wordpress | 2 Hk Shortcode, Wordpress | 2026-05-27 | 6.4 Medium |
| The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong_post_short_title_plane() function, where the 'title' attribute is concatenated directly into HTML output without any escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-8040 | 2 Wordpress, Yehudah | 2 Wordpress, Faq Shortocde | 2026-05-27 | 6.4 Medium |
| The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-8899 | 2 Gapgag55, Wordpress | 2 Auto Thumbnails, Wordpress | 2026-05-27 | 6.4 Medium |
| The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on the shortcode's 'width' and 'height' attributes in the athn_thumbnails() function, which are concatenated directly into an HTML <img> tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-8867 | 2 Fides-it, Wordpress | 2 Post Categories Gallery, Wordpress | 2026-05-27 | 6.4 Medium |
| The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (such as total_width, color_scheme, and caption_font_size) inside the sc_horcatbar() function, which are concatenated directly into HTML attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-8884 | 2 Neilmccutcheon, Wordpress | 2 Instant-quote.co Quotation Page, Wordpress | 2026-05-27 | 6.4 Medium |
| The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A Contributor-level user can trigger execution against higher-privileged users by embedding the malicious shortcode in a post submitted for review, causing the injected scripts to execute when an administrator previews or views the post. | ||||
| CVE-2026-8143 | 2 Omnivo, Wordpress | 2 Booking Calendar – Event Calendar, Wordpress | 2026-05-27 | 7.2 High |
| The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the HBook Customers admin page). | ||||
| CVE-2026-3001 | 2 Jegstudio, Wordpress | 2 Gutenverse – Wordpress Blocks, Page Builder & Site Editor, Wordpress | 2026-05-27 | 6.1 Medium |
| The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. Specifically, the `render_content()` method in `class-search-result-title.php` outputs the value of `get_query_var('s')` directly into the page HTML without applying `esc_html()` or any other escaping function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a crafted URL that execute if a user clicks the link, provided the `gutenverse/search-result-title` block is present on the site's search results template. | ||||
| CVE-2026-3375 | 2 Litespeedtech, Wordpress | 2 Litespeed Cache, Wordpress | 2026-05-27 | 7.2 High |
| The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. The stored content is later rendered inline frontend page loads without output escaping. The access control protecting these endpoints is IP-based validation that can potentially be bypassed when the WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations. This makes it possible for unauthenticated attackers, under certain conditions, to inject arbitrary JavaScript into CCSS/UCSS content. | ||||
| CVE-2026-48905 | 1 Joomla | 2 Joomla! Framework Filter Package, Joomla\! | 2026-05-27 | 6.1 Medium |
| Lack of input filtering leads to an XSS vector in the HTML filter code. | ||||
| CVE-2026-48903 | 1 Joomla | 1 Joomla\! | 2026-05-27 | 6.1 Medium |
| Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | ||||
| CVE-2026-44669 | 1 Factionsecurity | 1 Faction | 2026-05-26 | 8.7 High |
| FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3. | ||||
| CVE-2026-9564 | 2 Oretnom23, Sourcecodester | 2 Hospitals Patient Records Management System, Hospitals Patient Records Management System | 2026-05-26 | 2.4 Low |
| A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | ||||
| CVE-2026-40597 | 1 Mantisbt | 1 Mantisbt | 2026-05-26 | N/A |
| Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2. | ||||
| CVE-2026-40607 | 1 Mantisbt | 1 Mantisbt | 2026-05-26 | N/A |
| Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY). | ||||
| CVE-2026-8197 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 4.8 Medium |
| Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The <strong>...</strong> wrap is built by PHP string interpolation before t() runs, so the integration name lands in the translated output as raw HTML. A rogue admin could potentially snoop on login submissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Thanks Yonatan Drori (Tenzai) for reporting. | ||||
| CVE-2026-8203 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 5.4 Medium |
| Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting. | ||||
| CVE-2026-8139 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 5.4 Medium |
| Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | ||||
| CVE-2026-41147 | 1 Nukeviet | 1 Nukeviet | 2026-05-26 | 8.7 High |
| NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and attributes in user-submitted content, which can be bypassed by intercepting and modifying HTTP requests directly (e.g., using Burp Suite). An attacker can inject malicious payloads which are stored server-side and executed in the browser of any user who views the content. Anyone viewing user-submitted content (such as administrators and moderators reviewing contact messages or comments) is impacted, and the vulnerability can be exploited by any anonymous visitor without authentication, with the Contact module used only as a proof of concept. Potential consequences include session hijacking through cookie theft, unauthorized actions performed under the victim's identity, defacement or redirection to phishing pages, and phishing attacks via manipulated email notifications. This issue has been fixed in version 4.5.08. If developers are unable to upgrade immediately, they should work around this issue by implementing server-side HTML sanitization in the Request class to strip or encode dangerous tags and attributes (e.g., <iframe>, srcdoc, event handlers like onerror/onload), enforcing a Content Security Policy (CSP) to restrict inline script execution, and set cookies with the HttpOnly flag to mitigate cookie theft via XSS. | ||||
| CVE-2026-9417 | 1 Code-projects | 1 Employee Management System | 2026-05-26 | 4.3 Medium |
| A vulnerability was detected in code-projects Employee Management System 1.0. Affected is an unknown function of the file /myprofileup.php. Performing a manipulation of the argument ID results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | ||||
| CVE-2026-45435 | 2 Melapress, Wordpress | 2 Wp Activity Log, Wordpress | 2026-05-26 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a through 5.6.3. | ||||