Total
45083 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10048 | 2026-04-15 | 6.1 Medium | ||
| The Post Status Notifier Lite and Premium plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.11.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-49965 | 1 Spacex | 1 Starlink Wifi Router Gen2 | 2026-04-15 | 6.8 Medium |
| SpaceX Starlink Wi-Fi router Gen 2 before 2023.48.0 allows XSS via the ssid and password parameters on the Setup Page. | ||||
| CVE-2025-22270 | 1 Cyberark | 1 Endpoint Privilege Manager | 2026-04-15 | N/A |
| An attacker with access to the Administration panel, specifically the "Role Management" tab, can inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the required additional error that allows bypassing the Content-Security-Policy policy, which mitigates JS code execution while still allowing HTML injection. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer. | ||||
| CVE-2024-45254 | 1 Vaemendis | 1 Vaemendis Ubooquity | 2026-04-15 | 7.5 High |
| VaeMendis - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||||
| CVE-2025-8153 | 1 Nec Corporation | 2 Univerge 1x, Univerge 1x-r\/ix-v | 2026-04-15 | N/A |
| Cross-site Scripting vulnerability in NEC Corporation UNIVERGE IX from Ver.9.5 to Ver.10.7, from Ver.10.8.21 to Ver.10.8.36, from Ver.10.9.11 to Ver.10.9.24, from Ver.10.10.21 to Ver.10.10.31, Ver.10.11.6 and UNIVERGE IX-R/IX-V Ver1.3.16, Ver1.3.21 allows a attacker to inject an arbitrary scripts may be executed on the user's browser. | ||||
| CVE-2025-9096 | 1 Express-gateway | 1 Express-gateway | 2026-04-15 | 3.5 Low |
| A vulnerability has been found in ExpressGateway express-gateway up to 1.16.10. Affected is an unknown function in the library lib/rest/routes/apps.js of the component REST Endpoint. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-37122 | 2 Arubanetworks, Hpe | 2 Clearpass Policy Manager, Aruba Networking Clearpass Policy Manager | 2026-04-15 | 6.1 Medium |
| A vulnerability in the web-based management interface of network access control services could allow an unauthenticated remote attacker to conduct a Reflected Cross-Site Scripting (XSS) attack. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in a victim's browser in the context of the affected interface. | ||||
| CVE-2025-51624 | 2026-04-15 | 7.6 High | ||
| Cross-site scripting (XSS) vulnerability in Zone Bitaqati thru 3.4.0. | ||||
| CVE-2025-62508 | 1 Starcitizentools | 1 Mediawiki-skins-citizen | 2026-04-15 | 6.5 Medium |
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s textContent when copying button labels. This causes escaped HTML in system message content (such as citizen-share, citizen-view-history, citizen-view-edit, and nstab-talk) to be interpreted as HTML in the sticky header, allowing injection of arbitrary script by a user with the ability to edit interface messages. The vulnerability allows a user with the editinterface right but without the editsitejs right (by default the sysop group has editinterface but may not have editsitejs) to execute arbitrary JavaScript in other users’ sessions, enabling unauthorized access to sensitive data or actions. The issue is fixed in 3.9.0. | ||||
| CVE-2025-62985 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in llamaman Simple Pull Quote simple-pull-quote allows Stored XSS.This issue affects Simple Pull Quote: from n/a through <= 1.6.3. | ||||
| CVE-2024-37248 | 2026-04-15 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Anima allows Stored XSS.This issue affects Anima: from n/a through 1.4.1. | ||||
| CVE-2025-40679 | 1 Bdtask | 1 Isshue | 2026-04-15 | N/A |
| HTML Injection vulnerability in Isshue by Bdtask, consisting os an HTML injection due to a lack os proper validation of user input by sending a POST request to '/category_product_search', affecting the 'product_name' parameter. | ||||
| CVE-2024-4174 | 2026-04-15 | 5.4 Medium | ||
| Cross-Site Scripting (XSS) vulnerability in Hyperion Web Server affecting version 2.0.15. This vulnerability could allow an attacker to execute malicious Javascript code on the client by injecting that code into the URL. | ||||
| CVE-2024-26367 | 2026-04-15 | 6.1 Medium | ||
| Cross Site Scripting vulnerability in Evertz microsystems MViP-II Firmware 8.6.5, XPS-EDGE-* Build 1467, evEDGE-EO-* Build 0029, MMA10G-* Build 0498, 570IPG-X19-10G Build 0691 allows a remote attacker to execute arbitrary code via a crafted payload to the login parameters. | ||||
| CVE-2024-50800 | 2026-04-15 | 6.1 Medium | ||
| Cross Site Scripting vulnerability in M2000 Smart4Web before v.5.020241004 allows a remote attacker to execute arbitrary code via the error parameter in URL | ||||
| CVE-2025-55134 | 1 Agora Foundation | 1 Agora | 2026-04-15 | 6.4 Medium |
| In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via tag in client/agora/public/js/editorManager.js. | ||||
| CVE-2022-50801 | 2026-04-15 | 4.3 Medium | ||
| JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to authenticated stored cross-site scripting (XSS) attacks, allowing attackers with authenticated access to inject malicious scripts that will be executed in other users' browsers when they view the affected content. | ||||
| CVE-2025-40663 | 2026-04-15 | N/A | ||
| Stored Cross-Site Scripting (XSS) vulnerability in i2A-Cronos version 23.02.01.17, from i2A. It allows an authenticated attacker to upload a malicious SVG image into the user's personal space in /CronosWeb/Modules/Persons/PersonalDocuments/PersonalDocuments. There is no reported fix at this time. | ||||
| CVE-2019-25367 | 1 Arangodb | 1 Arangodb Community Edition | 2026-04-15 | 5.4 Medium |
| ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attackers can inject scripts via parameters in /_db/_system/_admin/aardvark/index.html to execute JavaScript in authenticated users' browsers. | ||||
| CVE-2025-5301 | 2026-04-15 | 6.1 Medium | ||
| ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server's HTML response. | ||||