Total
42853 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41844 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | 3.4 Low |
| A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0.4 and above allows attacker to execute unauthorized code or commands via crafted HTTP requests in capture traffic endpoint. | ||||
| CVE-2023-41843 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | 7.3 High |
| A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests. | ||||
| CVE-2023-41681 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | 7.3 High |
| A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests. | ||||
| CVE-2023-41680 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | 7.3 High |
| A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests. | ||||
| CVE-2025-54353 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | 5.3 Medium |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an attacker to perform an XSS attack via crafted HTTP requests. | ||||
| CVE-2025-62482 | 2 Microsoft, Zoom | 6 Windows, Meeting Software Development Kit, Workplace and 3 more | 2026-01-13 | 4.3 Medium |
| Cross-site scripting in Zoom Workplace for Windows before version 6.5.10 may allow an unauthenticated user to impact integrity via network access. | ||||
| CVE-2025-49306 | 1 Catchsquare | 1 Wp Social Widget | 2026-01-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.3. | ||||
| CVE-2025-68457 | 2 Boscop, Boscop-fr | 2 Orejime, Orejime | 2026-01-13 | 6.1 Medium |
| Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding `javascript:` code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed ones (i.e. `data-href` into `href`), thus executing the code. This shouldn't have any impact on most setups, as elements handled by Orejime are generally hardcoded. The problem would only arise if somebody could inject HTML code within pages. The problem has been patched in version 2.3.2. As a workaround, the problem can be fixed outside of Orejime by sanitizing attributes which could contain executable code. | ||||
| CVE-2025-0717 | 1 Cm-wp | 1 Social Slider Widget | 2026-01-13 | 3.5 Low |
| To exploit the vulnerability, it is necessary: | ||||
| CVE-2025-30610 | 2 Catchsquare, Wordpress | 2 Wp Social Widget, Wordpress | 2026-01-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.2.6. | ||||
| CVE-2024-27189 | 2 Catchsquare, Wordpress | 2 Wp Social Widget, Wordpress | 2026-01-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS.This issue affects WP Social Widget: from n/a through 2.2.5. | ||||
| CVE-2022-50787 | 1 Sound4 | 21 Big Voice2, Big Voice2 Firmware, Big Voice4 and 18 more | 2026-01-13 | 7.2 High |
| SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains an unauthenticated stored cross-site scripting vulnerability in the username parameter that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated username input to execute arbitrary HTML and JavaScript code in victim browser sessions without authentication. | ||||
| CVE-2026-0499 | 1 Sap | 1 Netweaver Enterprise Portal | 2026-01-13 | 6.1 Medium |
| SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability. | ||||
| CVE-2026-0563 | 2 Pagup, Wordpress | 2 Wp Google Street View & Google Maps + Local Seo, Wordpress | 2026-01-13 | 6.4 Medium |
| The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-22714 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki-monaco Skin | 2026-01-13 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39. | ||||
| CVE-2025-15057 | 2 Wordpress, Wp-slimstat | 2 Wordpress, Slimstat Analytics | 2026-01-13 | 7.2 High |
| The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report. | ||||
| CVE-2025-15055 | 2 Wordpress, Wp-slimstat | 2 Wordpress, Slimstat Analytics | 2026-01-13 | 7.2 High |
| The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report. | ||||
| CVE-2025-15019 | 2 Pagup, Wordpress | 2 Bialty, Wordpress | 2026-01-13 | 6.4 Medium |
| The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the post editor. | ||||
| CVE-2025-13908 | 2 Alobaidi, Wordpress | 2 The Tooltip, Wordpress | 2026-01-13 | 6.4 Medium |
| The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13903 | 2 Ctietze, Wordpress | 2 Pullquote, Wordpress | 2026-01-13 | 6.4 Medium |
| The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||