Search Results (83876 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-14028 1 Wordpress 1 Wordpress 2026-04-22 4.4 Medium
The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-14118 1 Wordpress 1 Wordpress 2026-04-22 6.1 Medium
The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2025-13903 2 Ctietze, Wordpress 2 Pullquote, Wordpress 2026-04-22 6.4 Medium
The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-13852 2 Debtcom, Wordpress 2 Debt.com Business In A Box, Wordpress 2026-04-22 6.4 Medium
The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-13967 2 Woodpeckerleadform, Wordpress 2 Woodpecker For Wordpress, Wordpress 2026-04-22 6.4 Medium
The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-14725 1 Wordpress 1 Wordpress 2026-04-22 4.4 Medium
The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2025-8072 2 Nebojsadabic, Wordpress 2 Target Video Easy Publish, Wordpress 2026-04-22 6.4 Medium
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2016-6367 1 Cisco 30 Adaptive Security Appliance Software, Asa 5500, Asa 5500-x and 27 more 2026-04-22 7.8 High
Cisco Adaptive Security Appliance (ASA) Software before 8.4(1) on ASA 5500, ASA 5500-X, PIX, and FWSM devices allows local users to gain privileges via invalid CLI commands, aka Bug ID CSCtu74257 or EPICBANANA.
CVE-2025-15440 2 Ione360, Wordpress 2 Ione360 Configurator, Wordpress 2026-04-22 7.2 High
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-13959 2 Shanaver, Wordpress 2 Filestack, Wordpress 2026-04-22 6.4 Medium
The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-13732 2 Clavaque, Wordpress 2 S2member – Excellent For All Kinds Of Memberships, Content Restriction Paywalls & Member Access Subscriptions, Wordpress 2026-04-22 6.4 Medium
The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-14040 2 Themesuite, Wordpress 2 Automotive Car Dealership Business Wordpress Theme, Wordpress 2026-04-22 6.4 Medium
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-3466 1 Checkmk 1 Checkmk 2026-04-22 5.4 Medium
Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.
CVE-2026-6779 1 Mozilla 2 Firefox, Thunderbird 2026-04-22 5.3 Medium
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
CVE-2026-6775 1 Mozilla 2 Firefox, Thunderbird 2026-04-22 5.3 Medium
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
CVE-2026-33791 2 Juniper, Juniper Networks 4 Junos, Junos Os Evolved, Junos Os and 1 more 2026-04-22 6.7 Medium
An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system. Certain 'set system' commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system. This issue affects: Junos OS:  * all versions before 22.4R3-S8,  * from 23.2 before 23.2R2-S5,  * from 23.4 before 23.4R2-S7,  * from 24.2 before 24.2R2-S2,  * from 24.4 before 24.4R2,  * from 25.2 before 25.2R2;  Junos OS Evolved:  * all versions before 22.4R3-S8-EVO,  * from 23.2 before 23.2R2-S5-EVO,  * from 23.4 before 23.4R2-S7-EVO,  * from 24.2 before 24.2R2-S2-EVO,  * from 24.4 before 24.4R2-EVO,  * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO.
CVE-2026-4369 1 Autodesk 1 Fusion 2026-04-22 7.1 High
A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
CVE-2017-20236 1 Prosoft-technology 2 Icx35-hwc, Icx35-hwc Firmware 2026-04-22 9.8 Critical
ProSoft Technology ICX35-HWC versions 1.3 and prior cellular gateways contain an input validation vulnerability in the web user interface that allows remote attackers to inject and execute system commands by submitting malicious input through unvalidated fields. Attackers can exploit this vulnerability to gain root privileges and execute arbitrary commands on the device through the accessible web interface.
CVE-2026-6781 1 Mozilla 2 Firefox, Thunderbird 2026-04-22 7.5 High
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
CVE-2026-6780 1 Mozilla 2 Firefox, Thunderbird 2026-04-22 7.5 High
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.