Total
43700 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-23794 | 1 Apache | 1 Syncope | 2026-04-18 | 6.8 Medium |
| Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. | ||||
| CVE-2026-24674 | 2 Gunet, Openeclass | 2 Open Eclass Platform, Openeclass | 2026-04-18 | 4.7 Medium |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2. | ||||
| CVE-2026-24665 | 2 Gunet, Openeclass | 2 Open Eclass Platform, Openeclass | 2026-04-18 | 8.7 High |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2. | ||||
| CVE-2026-25486 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-04-18 | 4.8 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2. | ||||
| CVE-2026-25489 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-04-18 | 4.8 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | ||||
| CVE-2026-25490 | 1 Craftcms | 2 Commerce, Craft Commerce | 2026-04-18 | 4.8 Medium |
| Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | ||||
| CVE-2026-20985 | 1 Samsung | 2 Members, Samsung Members | 2026-04-18 | 4.3 Medium |
| Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability. | ||||
| CVE-2026-22875 | 2 Six Apart, Six Apart Ltd | 2 Movable Type, Movable Type | 2026-04-18 | N/A |
| Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | ||||
| CVE-2026-20111 | 1 Cisco | 1 Prime Infrastructure | 2026-04-18 | 4.8 Medium |
| A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | ||||
| CVE-2026-0947 | 2 Bordeaux-metropole, Drupal | 2 At Internet Piano Analytics, At Internet Piano Analytics | 2026-04-18 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1. | ||||
| CVE-2026-25578 | 1 Navidrome | 1 Navidrome | 2026-04-18 | 6.1 Medium |
| Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0. | ||||
| CVE-2026-0521 | 2 Tydac, Tydac Ag | 2 Map\+, Map+ | 2026-04-18 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker. This issue was verified in MAP+: 3.4.0. | ||||
| CVE-2026-1769 | 2 Microsoft, Xerox | 2 Windows, Centreware Web | 2026-04-18 | 5.3 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6. Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com | ||||
| CVE-2026-24050 | 1 Zulip | 2 Zulip, Zulip Server | 2026-04-18 | 5.4 Medium |
| Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5. | ||||
| CVE-2026-25647 | 2 B3log, Siyuan | 2 Siyuan, Siyuan | 2026-04-18 | 4.6 Medium |
| Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session. | ||||
| CVE-2026-2145 | 1 Cym1102 | 1 Nginxwebui | 2026-04-18 | 3.5 Low |
| A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. Such manipulation of the argument nginxDir leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-2149 | 3 Pamzey, Patrick Mvuma, Sourcecodester | 3 Patients Waiting Area Queue Management System, Patients Waiting Area Queue Management System, Patients Waiting Area Queue Management System | 2026-04-18 | 4.3 Medium |
| A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patient_id results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. | ||||
| CVE-2026-2150 | 3 Pamzey, Patrick Mvuma, Sourcecodester | 3 Patients Waiting Area Queue Management System, Patients Waiting Area Queue Management System, Patients Waiting Area Queue Management System | 2026-04-18 | 4.3 Medium |
| A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /checkin.php. This manipulation of the argument patient_id causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2026-2159 | 2 Oretnom23, Sourcecodester | 2 Simple Responsive Tourism Website, Simple Responsive Tourism Website | 2026-04-18 | 4.3 Medium |
| A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected is an unknown function of the file /tourism/classes/Master.php?f=register of the component Registration. Executing a manipulation of the argument firstname/lastname/username can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2026-2160 | 2 Oretnom23, Sourcecodester | 2 Simple Responsive Tourism Website, Simple Responsive Tourism Website | 2026-04-18 | 4.3 Medium |
| A vulnerability has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Master.php?f=save_package. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||