Total
44060 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-41591 | 1 Marko-js | 1 Marko | 2026-05-10 | 6.4 Medium |
| Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a <script> or <style> tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a <script> or <style> block could break out of the tag with </SCRIPT>, </Style>, etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164. | ||||
| CVE-2026-41683 | 1 I18next | 1 I18next-http-middleware | 2026-05-10 | 8.6 High |
| i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3. | ||||
| CVE-2026-41886 | 1 Locize | 1 Locize | 2026-05-10 | 7.5 High |
| locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" — that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host — an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down — could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21. | ||||
| CVE-2026-42224 | 1 Icinga | 1 Ipl-web | 2026-05-10 | 7.6 High |
| ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1. | ||||
| CVE-2026-42451 | 1 Grimmory-tools | 1 Grimmory | 2026-05-10 | 6.3 Medium |
| Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser with full access to the Grimmory application's session context. This can enable session token theft and account takeover, including administrative access if an administrator opens the affected book. This issue has been patched in version 2.3.1. | ||||
| CVE-2026-42455 | 1 Linkwarden | 1 Linkwarden | 2026-05-10 | N/A |
| Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches. | ||||
| CVE-2026-8195 | 1 Jeecg | 1 Jeecgboot | 2026-05-10 | 4.3 Medium |
| A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component SVG File Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-50963 | 1 Ubidauction | 1 Ubidauction | 2026-05-10 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2022-50969 | 1 Ubidauction | 1 Ubidauction | 2026-05-10 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2021-47950 | 1 Ampps | 1 Advanced Guestbook | 2026-05-10 | 6.4 Medium |
| Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab. | ||||
| CVE-2021-47924 | 2 Etoilewebdesign, Wordpress | 2 Ultimate Product Catalog, Wordpress | 2026-05-10 | 6.4 Medium |
| Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed. | ||||
| CVE-2022-50947 | 2 Radiustheme, Wordpress | 2 Testimonial Slider And Showcase, Wordpress | 2026-05-10 | 6.4 Medium |
| WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking. | ||||
| CVE-2022-50957 | 1 Avatar Uploader Project | 1 Avatar Uploader | 2026-05-10 | 6.1 Medium |
| Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2024-33724 | 2026-05-09 | 5.4 Medium | ||
| SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php. | ||||
| CVE-2025-67202 | 1 Sidekiq-cron | 1 Sidekiq-cron | 2026-05-09 | 6.1 Medium |
| Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb. | ||||
| CVE-2026-41524 | 1 Ajax30 | 1 Bravecms-2.0 | 2026-05-08 | 8.7 High |
| Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603. | ||||
| CVE-2026-42556 | 1 Gitroomhq | 1 Postiz-app | 2026-05-08 | 8.9 High |
| Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7. | ||||
| CVE-2026-42192 | 1 Useplunk | 1 Plunk | 2026-05-08 | 5.4 Medium |
| Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0. | ||||
| CVE-2026-32207 | 1 Microsoft | 1 Azure Machine Learning | 2026-05-08 | 8.8 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-41576 | 1 Ajax30 | 1 Bravecms-2.0 | 2026-05-08 | 7.1 High |
| Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP's nl2br() function, which converts newlines to <br> tags but does not escape HTML. The resulting string is then passed to a Blade email template using the unescaped {!! $msg !!} directive. The resulting content is then rendered in a Blade email template using the unescaped {!! $msg !!} directive. Because HTML is not sanitized, arbitrary markup can be injected into the email body. While modern HTML-capable email clients (Gmail or Outlook Web) typically block JavaScript execution, they still render HTML content. This allows attackers to craft convincing phishing interfaces inside the email sent to the administrator. This issue has been patched via commit 6c56603. | ||||