CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-23612 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the IP DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23611 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$Cont... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41916 OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23610 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-42421 OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket co... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26357 Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23609 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page. An authenticated user can supply HTML/JavaScript in t... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23608 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint. An authenticated user can supply HTML/JavaScript in the ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23606 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation workflow. An authenticated user can supply HTML/JavaScr... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32391 Missing Authorization vulnerability in linethemes SmartFix smartfix allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SmartFix: from n/a through < 1.2.4. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26207 Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28357 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rend... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32417 Missing Authorization vulnerability in wppochipp Pochipp pochipp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pochipp: from n/a through < 1.18.9. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23605 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23604 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in th... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32328 Cross-Site Request Forgery (CSRF) vulnerability in shufflehound Lemmony lemmony allows Cross Site Request Forgery.This issue affects Lemmony: from n/a through < 1.7.1. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25337 Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through <= 1.1.5. | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59540 Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39635 Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through <= 3.5.5. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-0972 HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24907 October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39614 Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordP... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26345 SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28359 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap edito... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27902 Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3103 A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0p43, and 2.2.0 (EOL) allows a low-privileged user to cause data loss. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2284 The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce ve... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23858 Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with rem... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-36243 IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to netw... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41298 OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by se... | 5.4 | MEDIUM | β | 0 |
| CVE-2019-25367 ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attacker... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28218 Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL quer... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2735 Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to β/blog/new-article/org.opencms.ugc.CmsUgcEditService... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28397 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-70060 An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32511 Deserialization of Untrusted Data vulnerability in Mikado-Themes StΓ₯l stal allows Object Injection.This issue affects StΓ₯l: from n/a through < 1.7. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2694 The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26953 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24350 PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26952 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through th... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-68643 Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack.... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-71240 SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicio... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26997 ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26075 FastGPT is an AI Agent building platform. Due to the fact that FastGPT's web page acquisition nodes, HTTP nodes, etc. need to initiate data acquisition requests from the server, there are certain secu... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27578 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts in... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24351 PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visit... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25322 Cross-Site Request Forgery (CSRF) vulnerability in PublishPress PublishPress Revisions revisionary allows Cross Site Request Forgery.This issue affects PublishPress Revisions: from n/a through <= 3.7.... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-6515 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incor... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28398 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stor... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25604 In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.Β This allowed to gain access to different instances... | 5.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.