Total
42282 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27178 | 2 Mjdm, Sergejey | 2 Majordomo, Majordomo | 2026-03-05 | 7.2 High |
| MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration. | ||||
| CVE-2026-27177 | 2 Mjdm, Sergejey | 2 Majordomo, Majordomo | 2026-03-05 | 7.2 High |
| MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript. | ||||
| CVE-2026-27176 | 2 Mjdm, Sergejey | 2 Majordomo, Majordomo | 2026-03-05 | 6.1 Medium |
| MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting a URL with malicious content in the qry parameter. | ||||
| CVE-2026-26351 | 2 Get-simple, Getsimple-ce | 2 Getsimplecms, Getsimple Cms | 2026-03-05 | 4.8 Medium |
| GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields are sanitized using safe_slash_html(), the slug parameter is written to XML and later rendered in the administrative interface without sanitation, resulting in persistent execution of arbitrary JavaScript. An authenticated administrator can inject malicious script content that executes whenever the affected Components page is viewed by any authenticated user, enabling session hijacking, unauthorized administrative actions, and persistent compromise of the CMS administrative interface. | ||||
| CVE-2026-26345 | 1 Spip | 1 Spip | 2026-03-05 | 5.4 Medium |
| SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen. | ||||
| CVE-2026-26223 | 1 Spip | 1 Spip | 2026-03-05 | 6.1 Medium |
| SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen. | ||||
| CVE-2026-25868 | 3 Gnu, Minigal, Rybber | 3 Nano, Minigal, Minigal Nano | 2026-03-05 | 6.1 Medium |
| MiniGal Nano version 0.3.5 and prior contain a reflected cross-site scripting (XSS) vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply HTML/JavaScript that is reflected in the response. Successful exploitation can lead to execution of arbitrary script in a victim's browser in the context of the vulnerable application. | ||||
| CVE-2026-24433 | 1 Tenda | 2 W30e, W30e Firmware | 2026-03-05 | 5.4 Medium |
| Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages. | ||||
| CVE-2026-24426 | 1 Tenda | 2 Ac7, Ac7 Firmware | 2026-03-05 | 6.1 Medium |
| Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim’s browser context. | ||||
| CVE-2026-22198 | 1 Gestsup | 1 Gestsup | 2026-03-05 | 6.1 Medium |
| GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session. | ||||
| CVE-2026-0540 | 1 Cure53 | 1 Dompurify | 2026-03-05 | 6.1 Medium |
| DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts. | ||||
| CVE-2025-71241 | 1 Spip | 1 Spip | 2026-03-05 | 6.1 Medium |
| SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen. | ||||
| CVE-2025-71240 | 1 Spip | 1 Spip | 2026-03-05 | 5.4 Medium |
| SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser. | ||||
| CVE-2025-71177 | 1 Lavalite | 2 Lavalite, Lavalite Cms | 2026-03-05 | 5.4 Medium |
| LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. | ||||
| CVE-2025-71166 | 1 Typesettercms | 1 Typesetter | 2026-03-05 | 5.4 Medium |
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | ||||
| CVE-2025-71165 | 1 Typesettercms | 1 Typesetter | 2026-03-05 | 5.4 Medium |
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | ||||
| CVE-2025-71164 | 1 Typesettercms | 1 Typesetter | 2026-03-05 | 5.4 Medium |
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session. | ||||
| CVE-2023-54341 | 2 Jokkedk, Webgrind Project | 2 Webgrind, Webgrind | 2026-03-05 | 6.1 Medium |
| Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs. | ||||
| CVE-2023-54332 | 1 Automattic | 2 Jetpack, Jetpack Boost | 2026-03-05 | 6.1 Medium |
| Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page. | ||||
| CVE-2023-53985 | 1 Zippy | 1 Zstore | 2026-03-05 | 6.1 Medium |
| Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context. | ||||