Total
44964 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-48410 | 1 Camtrace | 1 Camtrace | 2026-04-15 | 6.1 Medium |
| Cross Site Scripting vulnerability in Camtrace v.9.16.2.1 allows a remote attacker to execute arbitrary code via the login.php. | ||||
| CVE-2024-43408 | 2026-04-15 | 6.3 Medium | ||
| Discourse Placeholder Forms will let you build dynamic documentation. Unsanitized and stored user input was injected in the html of the post. The vulnerability is fixed in commit a62f711d5600e4e5d86f342d52932cb6221672e7. | ||||
| CVE-2025-66421 | 1 Tryton | 1 Tryton | 2026-04-15 | 5.4 Medium |
| Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69. | ||||
| CVE-2024-31107 | 2026-04-15 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DiSo Development Team OpenID allows Reflected XSS.This issue affects OpenID: from n/a through 3.6.1. | ||||
| CVE-2024-4984 | 2 Wordpress, Yoast | 2 Wordpress, Yoast Seo | 2026-04-15 | 6.4 Medium |
| The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-31110 | 2026-04-15 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Katz Web Services, Inc. Contact Form 7 Newsletter allows Reflected XSS.This issue affects Contact Form 7 Newsletter: from n/a through 2.2. | ||||
| CVE-2024-42818 | 1 Fastapi-admin | 1 Fastapi-admin Pro | 2026-04-15 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in the Config-Create function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter. | ||||
| CVE-2024-42671 | 2026-04-15 | 6.1 Medium | ||
| A Host Header Poisoning Open Redirect issue in slabiak Appointment Scheduler v.1.0.5 allows a remote attacker to redirect users to a malicious website, leading to potential credential theft, malware distribution, or other malicious activities. | ||||
| CVE-2024-42550 | 2026-04-15 | 5.4 Medium | ||
| A cross-site scripting (XSS) vulnerability in the component /email/welcome.php of Mini Inventory and Sales Management System commit 18aa3d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter. | ||||
| CVE-2024-42515 | 1 Pebbleroad | 1 Glossarizer | 2026-04-15 | 9.9 Critical |
| Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these encoded characters into legitimate HTML, thereby possibly causing stored XSS. Attackers can append a XSS payload to a word that has a corresponding glossary entry. | ||||
| CVE-2024-4224 | 2026-04-15 | 5.4 Medium | ||
| An authenticated stored cross-site scripting (XSS) exists in the TP-Link TL-SG1016DE affecting version TL-SG1016DE(UN) V7.6_1.0.0 Build 20230616, which could allow an adversary to run JavaScript in an administrator's browser. This issue was fixed in TL-SG1016DE(UN) V7_1.0.1 Build 20240628. | ||||
| CVE-2024-9608 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The MyParcel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.24.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Please note this is only exploitable when the WooCommerce store is set to Belgium. | ||||
| CVE-2024-10176 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2026-04-15 | 6.4 Medium |
| The Compact WP Audio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_embed_player shortcode in all versions up to, and including, 1.9.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2019-25315 | 2 Anttiviljami, Wordpress | 2 Wp Server Log Viewer, Wordpress | 2026-04-15 | 6.4 Medium |
| WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface. | ||||
| CVE-2024-41943 | 2026-04-15 | 4.6 Medium | ||
| I, Librarian is an open-source version of a PDF managing SaaS. PDF notes are displayed on the Item Summary page without any form of validation or sanitation. An attacker can exploit this vulnerability by inserting a payload in the PDF notes that contains malicious code or script. This code will then be executed when the page is loaded in the browser. The vulnerability was fixed in version 5.11.1. | ||||
| CVE-2024-4193 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'testimonialcategory' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-41805 | 2026-04-15 | 6.1 Medium | ||
| Tracks, a Getting Things Done (GTD) web application, is vulnerable to reflected cross-site scripting in versions prior to 2.7.1. Reflected cross-site scripting enables execution of malicious JavaScript in the context of a user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to credential theft. Tracks version 2.7.1 is patched. No known complete workarounds are available. | ||||
| CVE-2024-41673 | 1 Decidim | 1 Decidim | 2026-04-15 | 7.1 High |
| Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8. | ||||
| CVE-2024-41663 | 1 Thinkst | 1 Canarytokens | 2026-04-15 | 3.5 Low |
| Canarytokens help track activity and actions on a network. A Cross-Site Scripting vulnerability was identified in the "Cloned Website" Canarytoken, whereby the Canarytoken's creator can attack themselves. The creator of a slow-redirect Canarytoken can insert Javascript into the destination URL of their slow redirect token. When the creator later browses the management page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this self-XSS, and send the management link to a victim. When they click on it, the Javascript would execute. However, no sensitive information (ex. session information) will be disclosed to the malicious actor. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after `sha-097d91a`. | ||||
| CVE-2024-41640 | 1 Amlpartners | 1 Surety Eco | 2026-04-15 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in AML Surety Eco up to 3.5 allows an attacker to run arbitrary code via crafted GET request using the id parameter. | ||||