ReportizFlow
Filtered by vendor
Subscriptions
Total
43931 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11276 | 1 Getrebuild | 1 Rebuild | 2026-04-15 | 3.5 Low |
| A security flaw has been discovered in Rebuild up to 4.1.3. Affected by this issue is some unknown functionality of the component Comment/Guestbook. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.1.4 can resolve this issue. It is suggested to upgrade the affected component. According to the researcher the vendor has confirmed the flaw and fix in a private issue response. | ||||
| CVE-2025-11333 | 1 Langleyfcu | 1 Online Banking System | 2026-04-15 | 2.4 Low |
| A vulnerability was identified in langleyfcu Online Banking System up to 57437e6400ce0ae240e692c24e6346b8d0c17d7a. This impacts an unknown function of the file /customer_add_action.php of the component Add Customer Page. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | ||||
| CVE-2025-11360 | 1 Jakowenko | 1 Double-take | 2026-04-15 | 4.3 Medium |
| A vulnerability was detected in jakowenko double-take up to 1.13.1. The impacted element is the function app.use of the file api/src/app.js of the component API. The manipulation of the argument X-Ingress-Path results in cross site scripting. The attack can be executed remotely. Upgrading to version 1.13.2 is sufficient to resolve this issue. The patch is identified as e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50. The affected component should be upgraded. | ||||
| CVE-2025-62967 | 2 Designinvento, Wordpress | 2 Directorypress, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Designinvento DirectoryPress directorypress allows DOM-Based XSS.This issue affects DirectoryPress: from n/a through <= 3.6.25. | ||||
| CVE-2025-24372 | 1 Ckan | 1 Ckan | 2026-04-15 | 7.3 High |
| CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability. This vulnerability has been fixed in CKAN 2.10.7 and 2.11.2. Users are advised to upgrade. On versions prior to CKAN 2.10.7 and 2.11.2, site maintainers can restrict the file types supported for uploading using the `ckan.upload.user.mimetypes` / `ckan.upload.user.types` and `ckan.upload.group.mimetypes` / `ckan.upload.group.types` config options. To entirely disable file uploads users can use: `ckan.upload.user.types = none` | ||||
| CVE-2025-67552 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WalkerWP Walker Core walker-core allows DOM-Based XSS.This issue affects Walker Core: from n/a through <= 1.3.17. | ||||
| CVE-2024-7649 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Opal Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via checkout form fields in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-49928 | 2 Crocoblock, Wordpress | 2 Jetformbuilder, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows DOM-Based XSS.This issue affects JetWooBuilder: from n/a through <= 2.1.20. | ||||
| CVE-2024-9873 | 2026-04-15 | 5.4 Medium | ||
| The Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in posts, comments, and profiles when Markdown support is enabled in all versions up to, and including, 6.4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9884 | 2026-04-15 | 6.4 Medium | ||
| The T(-) Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tminus' shortcode in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9886 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidu_map' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-0054 | 2026-04-15 | 5.4 Medium | ||
| SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page. | ||||
| CVE-2025-0193 | 2026-04-15 | N/A | ||
| A stored Cross-site Scripting (XSS) vulnerability exists in the MGate 5121/5122/5123 Series firmware version v1.0 because of insufficient sanitization and encoding of user input in the "Login Message" functionality. An authenticated attacker with administrative access can exploit this vulnerability to inject malicious scripts that are continuously stored on the device. These scripts are executed when other users access the login page, potentially resulting in unauthorized actions or other impacts, depending on the user's privileges. | ||||
| CVE-2025-0219 | 2026-04-15 | 2.4 Low | ||
| A vulnerability, which was classified as problematic, has been found in Trimble SPS851 488.01. Affected by this issue is some unknown functionality of the component Receiver Status Identity Tab. The manipulation of the argument System Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-0220 | 2026-04-15 | 2.4 Low | ||
| A vulnerability, which was classified as problematic, was found in Trimble SPS851 488.01. This affects an unknown part of the component Ethernet Configuration Menu. The manipulation of the argument Hostname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-62082 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nasir Uddin Generic Elements generic-elements-for-elementor allows Stored XSS.This issue affects Generic Elements: from n/a through <= 1.2.9. | ||||
| CVE-2025-0354 | 2026-04-15 | 4.8 Medium | ||
| Cross-site scripting vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver.1.2.4 and earlier allows a attacker to inject an arbitrary script via the network. | ||||
| CVE-2025-0397 | 2026-04-15 | 3.5 Low | ||
| A vulnerability, which was classified as problematic, was found in reckcn SPPanAdmin 1.0. Affected is an unknown function of the file /;/admin/role/edit. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-0419 | 2026-04-15 | 4.7 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. Zirve Nova allows Cross-Site Scripting (XSS).This issue affects Zirve Nova: from 235 through 20250131. | ||||
| CVE-2025-0757 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2026-04-15 | 4.4 Medium |
| Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface. Impact Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. | ||||