CVE Schwachstellen
CVE-Datenbank angereichert mit CISA KEV und NVD Daten
| CVE ID | CVSS | Schweregrad | KEV | Sichtungen |
|---|---|---|---|---|
| CVE-2025-70797 Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-21904 An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the list filter fiel... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-3572 The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verifica... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-13910 The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-2277 The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-2427 The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sani... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-4069 The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'naam' parameter in all versions up to, and including, 1.2.1. This is due to missing nonce validation ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-4305 The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 d... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-29520 Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33035 WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's bro... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-32850 MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27646 OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33499 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` paramete... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33170 Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@h... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-20104 A vulnerability in the bootloader of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches, Cisco Catalyst ESS9300 Embedded Series Switches, Cisco Catalyst IE9310 and IE9320 Rugged Series Swit... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33933 OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-41026 Reflected Cross Site Scripting (XSS) vulnerabilities in GDTaller. These vulnerabilities allows an attacker execute JavaScript code in the victim's browser by sending a malicious URL in 'site' paramet... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-1986 The FloristPress for Woo – Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33525 Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In version 4.39.15, an attacker may p... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33758 OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=dir... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33368 Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33370 An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specif... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-4146 The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitizati... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-32919 OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped callers to reach admin-only session reset logic. Attackers with operator.write scope can issue agent requ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-20085 A vulnerability in the web-based management interface of Cisco IMC could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerabil... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-34598 YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authenticat... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-30557 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The app... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33402 Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is includ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-30661 iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-22217 OpenClaw version 2026.2.22 prior to 2026.2.23 contain an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33548 Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33517 Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-52204 A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter | 6.1 | MEDIUM | — | 0 |
| CVE-2026-29828 DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-34729 phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes(). This issue has been patched in version 4.1.1... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-39336 ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered int... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-35398 WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically thr... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-35667 OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command uses an unpatched killProcessTree function from shell-utils.ts that sends SIGKILL immediately witho... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-34852 Stack overflow vulnerability in the media platform. Impact: Successful exploitation of this vulnerability may affect availability. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-3217 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).This issue affects SAML SSO -... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-20115 A vulnerability in Cisco IOS XE Software for Cisco Meraki could allow a remote, unauthenticated attacker to view confidential device information. This vulnerability is due to a device configuration... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-25854 Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-30162 Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-4647 A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF objec... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-3635 Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-30252 Multiple reflected cross-site scripting (XSS) vulnerabilities in the login.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the contex... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-30251 A reflected cross-site scripting (XSS) vulnerability in the login_newpwd.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the context ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-35466 XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services | 6.1 | MEDIUM | — | 0 |
| CVE-2026-30569 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" param... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-30570 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the... | 6.1 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.