ReportizFlow
Filtered by vendor
Subscriptions
Total
44295 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2995 | 1 Gitlab | 1 Gitlab | 2026-03-27 | 7.7 High |
| GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content. | ||||
| CVE-2026-2973 | 1 Gitlab | 1 Gitlab | 2026-03-27 | 5.4 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams. | ||||
| CVE-2026-2483 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2026-03-27 | 5.4 Medium |
| IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session | ||||
| CVE-2026-33348 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-03-27 | 8.7 High |
| OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. Versions prior to 8.0.0.3 have a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.3 contains a patch. | ||||
| CVE-2026-33911 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-03-27 | 5.4 Medium |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter `title` is reflected back in a JSON response built with `json_encode()`. Because the response is served with a `text/html` Content-Type, the browser interprets injected HTML/script tags rather than treating the output as JSON. An authenticated attacker can craft a request that executes arbitrary JavaScript in a victim's session. Version 8.0.0.3 contains a fix. | ||||
| CVE-2026-33912 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-03-27 | 5.4 Medium |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0.3 patches the issue. | ||||
| CVE-2026-33933 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-03-27 | 6.1 Medium |
| OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue. | ||||
| CVE-2026-4754 | 1 Molotovcherry | 1 Android-imagemagick7 | 2026-03-27 | 6.1 Medium |
| CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11. | ||||
| CVE-2026-33400 | 2 Ellite, Wallosapp | 2 Wallos, Wallos | 2026-03-27 | 5.4 Medium |
| Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscriptions, or Statistics pages. Combined with the wallos_login authentication cookie lacking the HttpOnly flag, this enables full session hijacking. This issue has been patched in version 4.7.0. | ||||
| CVE-2026-33331 | 2 Middleapi, Orpc | 2 Orpc, Orpc | 2026-03-27 | 8.2 High |
| oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9. | ||||
| CVE-2026-22209 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-27 | 5.5 Medium |
| wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers. | ||||
| CVE-2025-12848 | 2 Drupal, Webform Multiple File Upload Project | 3 Drupal, Webform Module, Webform Multiple File Upload | 2026-03-27 | 6.1 Medium |
| Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module. | ||||
| CVE-2025-67316 | 2 Heytap, Realme | 3 Internet Browser, Coloros, Hey Tap Coloros Browser | 2026-03-26 | 5.4 Medium |
| An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser. NOTE: The supplier is currently disputing this finding and the record is under review. | ||||
| CVE-2025-52204 | 1 Znuny | 1 Znuny | 2026-03-26 | 6.1 Medium |
| A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter | ||||
| CVE-2026-33311 | 1 Dicebear | 1 Dicebear | 2026-03-26 | 4.7 Medium |
| DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options (`backgroundColor`, `fontFamily`, `textColor`) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to `createAvatar()` and serve the resulting SVG inline or with `Content-Type: image/svg+xml`. Starting in versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, all affected SVG attribute values are properly escaped using XML entity encoding. Users should upgrade to the listed patched versions. Some mitigating factors limit vulnerability. Applications that validate input against the library's JSON Schema before passing it to `createAvatar()` are not affected. The DiceBear CLI validates input via AJV and was not vulnerable. Exploitation requires that an application passes untrusted, unvalidated external input directly as option values. | ||||
| CVE-2025-60948 | 2 Census, Csprousers | 2 Csweb, Csweb | 2026-03-26 | 4.6 Medium |
| Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha. | ||||
| CVE-2026-30661 | 2 Icms, Idreamsoft | 2 Icms, Icms | 2026-03-26 | 6.1 Medium |
| iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters. | ||||
| CVE-2026-29840 | 1 Jizhicms | 1 Jizhicms | 2026-03-26 | 5.4 Medium |
| JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags but fails to recursively remove dangerous event handlers in other HTML tags (such as onerror in <img> tags). This allows an authenticated remote attacker to inject arbitrary web script or HTML via the body parameter in a POST request to /user/release.html. | ||||
| CVE-2025-4763 | 1 Aida | 1 Hotel Guest Hotspot | 2026-03-26 | 5.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS.This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59788 | 1 Nextcloud | 2 Nextcloud, Nextcloud Server | 2026-03-26 | 6.4 Medium |
| Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis. | ||||