Search Results (47412 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-12799 1 Redhat 3 Jboss Enterprise Application Platform, Jbosseapxp, Red Hat Single Sign On 2026-07-09 6.5 Medium
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.
CVE-2026-13441 2 Metagauss, Wordpress 2 Eventprime – Events Calendar, Bookings And Tickets, Wordpress 2026-07-09 7.2 High
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) to be enabled, which allows unauthenticated attackers to submit event types via the frontend form; when that setting is disabled, exploitation requires at minimum a subscriber-level authenticated account.
CVE-2026-59926 1 Lepture 1 Mistune 2026-07-09 5.4 Medium
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.
CVE-2026-31981 1 Nozomi Networks 2 Cmc, Guardian 2026-07-09 5.9 Medium
A Stored HTML Injection vulnerability was discovered in the Diagram tab and Graph view due to a shared input validation function being insufficiently restrictive. An authenticated user with administrative privileges can inject malicious HTML tags into N2OS configuration data through multiple input vectors. When a victim views the affected data in the Diagram tab and Graph view, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
CVE-2026-7839 1 Uvnc 1 Ultravnc 2026-07-09 9.1 Critical
UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpy_s(saved_password, 64, "adminadmi2"). The HTTP Basic-auth handler wi_decode_auth() checks this password without rate-limiting or lockout. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using the well-known default credential on a fresh or unmodified installation, gaining full control of the repeater configuration including allow/deny rules and session visibility.
CVE-2026-48560 1 Microsoft 5 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2016 and 2 more 2026-07-08 5.4 Medium
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-47634 1 Microsoft 3 Sharepoint Server, Sharepoint Server 2019, Sharepoint Server Subscription Edition 2026-07-08 7.3 High
Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-47281 1 Microsoft 1 Visual Studio Code 2026-07-08 9.6 Critical
Missing authorization in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-45465 1 Microsoft 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 2026-07-08 5.4 Medium
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-45464 1 Microsoft 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 2026-07-08 5.4 Medium
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-33113 1 Microsoft 5 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2016 and 2 more 2026-07-08 5.4 Medium
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-47639 1 Microsoft 5 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2016 and 2 more 2026-07-08 5.4 Medium
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-47636 1 Microsoft 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 2026-07-08 5.4 Medium
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-45501 1 Microsoft 9 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 6 more 2026-07-08 6.5 Medium
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to perform spoofing over a network.
CVE-2026-45453 1 Microsoft 5 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2016 and 2 more 2026-07-08 5.4 Medium
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-50740 1 Revive 1 Adserver 2026-07-08 N/A
A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.
CVE-2026-53641 1 Fossbilling 1 Fossbilling 2026-07-08 N/A
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a stored cross-site scripting (XSS) vulnerability in the client-facing email history views of FOSSBilling. Email HTML content (`content_html`) is rendered into a JavaScript template literal using the `|raw` filter, bypassing all output escaping. An attacker with admin access can inject malicious JavaScript payloads into email content that execute in the browser of any client who views their email history. Version 0.8.0 contains a fix. Some workarounds are available. Restrict admin account access, audit email content in the database for suspicious payloads, and/or monitor client accounts for unusual activity.
CVE-2026-6818 2026-07-08 7.2 High
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'special_requests' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-57439 1 Gchq 1 Cyberchef 2026-07-08 5 Medium
CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. This issue is fixed in version 11.2.0.
CVE-2026-11903 1 Progress 1 Moveit Transfer 2026-07-08 8 High
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module). This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.