Search Results (47376 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-15299 2 Wealcoder, Wordpress 2 Animation Addons For Elementor – Gsap Motion Elementor Addons & Website Templates, Wordpress 2026-07-10 6.4 Medium
The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weather_style' and 'move_direction' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render() function at widgets/weather.php:1246, where both settings values are placed into an HTML class attribute without esc_attr(). Elementor does not server-side validate widget SELECT control values against allowed options on save, so an authenticated attacker with Contributor-level access or above can submit a crafted save_builder AJAX request storing arbitrary values in the _elementor_data post meta. The stored payload renders unescaped on every frontend visit to the affected page (the Weather widget requires an OpenWeatherMap API key to reach the vulnerable output, which is the normal operational state for sites using this widget).
CVE-2026-13710 2 Jegtheme, Wordpress 2 Jeg Kit For Elementor – Powerful Addons For Elementor, Widgets & Templates For Wordpress, Wordpress 2026-07-10 6.4 Medium
The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget's 'sg_body_description' parameter in versions up to, and including, 3.2.6. This is due to insufficient input sanitization and output escaping on the description attribute in the render_body() method of the Image_Box_View class — every other attribute used by the method is wrapped in esc_attr(), but the description value is concatenated directly into HTML body context. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-8306 1 Armiya 1 Access Control System (gks) 2026-07-10 6.1 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Stored XSS. This issue affects Access Control System (GKS): before Version 2.
CVE-2026-8309 1 Armiya 1 Access Control System (gks) 2026-07-10 5.4 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Reflected XSS. This issue affects Access Control System (GKS): before Version 2.
CVE-2026-12948 1 Digi International 4 Digi One Ia, Digi One Sp, Digi One Sp Ia and 1 more 2026-07-10 N/A
A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79).
CVE-2026-48954 1 Joomla 1 Joomla! 2026-07-10 N/A
Improper validation leads to a generic XSS vector in the language override feature.
CVE-2026-48949 1 Joomla 1 Joomla! 2026-07-10 N/A
Lack of validation leads to an XSS vulnerability in the MFA management views.
CVE-2026-48953 1 Joomla 1 Joomla! 2026-07-10 N/A
Lack of escaping leads to an XSS vulnerability in the generic image output layout.
CVE-2026-48951 1 Joomla 1 Joomla! 2026-07-10 N/A
Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.
CVE-2026-48950 1 Joomla 1 Joomla! 2026-07-10 N/A
Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.
CVE-2026-48952 1 Joomla 1 Joomla! 2026-07-10 N/A
Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.
CVE-2026-55592 1 Lissy93 1 Dashy 2026-07-10 3.9 Low
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.
CVE-2026-11798 2 The Champ, Wordpress 2 Social Share, Social Login And Social Comments Plugin – Super Socializer, Wordpress 2026-07-10 6.1 Medium
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'heateor_mastodon_share' parameter in all versions up to, and including, 7.14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2026-12041 2 Chatra, Wordpress 2 Chatra Live Chat + Chatbot + Cart Saver, Wordpress 2026-07-10 4.4 Medium
The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2026-10570 2 Idocoh, Wordpress 2 Sympl Repeater For Acf And Elementor, Wordpress 2026-07-10 6.4 Medium
The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symp_arfe_replace_content() function, which uses str_replace() to substitute raw ACF field values (retrieved via get_field()) directly into Elementor-rendered HTML without any escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-14785 2 Seedprod, Wordpress 2 Website Builder By Seedprod — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode, Wordpress 2026-07-10 6.4 Medium
The Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `seedprodnestedmenuwidget` shortcode in all versions up to, and including, 6.20.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-8310 1 Webbeyaz Website Design 1 Mediküm Web 2026-07-10 6.1 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webbeyaz Web Design Mediküm Web allows Reflected XSS. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.
CVE-2026-8315 1 Webbeyaz Website Design 1 Mediküm Web 2026-07-10 5.4 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webbeyaz Web Design Mediküm Web allows Stored XSS. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.
CVE-2026-6740 2 Posimyththemes, Wordpress 2 Nexter Blocks – Gutenberg Blocks, Page Builder & Ai Website Builder, Wordpress 2026-07-10 6.4 Medium
The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-58191 1 Appium 1 Appium 2026-07-10 6.5 Medium
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate reflects the throwError query parameter, comments POST field, and User-Agent request header into HTML without escaping, allowing reflected cross-site scripting and arbitrary JavaScript execution on the server origin. This issue is fixed in version 10.7.0.