Total
42414 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-26345 | 1 Spip | 1 Spip | 2026-03-05 | 5.4 Medium |
| SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen. | ||||
| CVE-2026-26223 | 1 Spip | 1 Spip | 2026-03-05 | 6.1 Medium |
| SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen. | ||||
| CVE-2026-25868 | 3 Gnu, Minigal, Rybber | 3 Nano, Minigal, Minigal Nano | 2026-03-05 | 6.1 Medium |
| MiniGal Nano version 0.3.5 and prior contain a reflected cross-site scripting (XSS) vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply HTML/JavaScript that is reflected in the response. Successful exploitation can lead to execution of arbitrary script in a victim's browser in the context of the vulnerable application. | ||||
| CVE-2026-24433 | 1 Tenda | 2 W30e, W30e Firmware | 2026-03-05 | 5.4 Medium |
| Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages. | ||||
| CVE-2026-24426 | 1 Tenda | 2 Ac7, Ac7 Firmware | 2026-03-05 | 6.1 Medium |
| Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim’s browser context. | ||||
| CVE-2026-22198 | 1 Gestsup | 1 Gestsup | 2026-03-05 | 6.1 Medium |
| GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session. | ||||
| CVE-2025-71241 | 1 Spip | 1 Spip | 2026-03-05 | 6.1 Medium |
| SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen. | ||||
| CVE-2025-71240 | 1 Spip | 1 Spip | 2026-03-05 | 5.4 Medium |
| SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser. | ||||
| CVE-2025-71177 | 1 Lavalite | 2 Lavalite, Lavalite Cms | 2026-03-05 | 5.4 Medium |
| LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. | ||||
| CVE-2025-71166 | 1 Typesettercms | 1 Typesetter | 2026-03-05 | 5.4 Medium |
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | ||||
| CVE-2025-71165 | 1 Typesettercms | 1 Typesetter | 2026-03-05 | 5.4 Medium |
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | ||||
| CVE-2025-71164 | 1 Typesettercms | 1 Typesetter | 2026-03-05 | 5.4 Medium |
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session. | ||||
| CVE-2023-54341 | 2 Jokkedk, Webgrind Project | 2 Webgrind, Webgrind | 2026-03-05 | 6.1 Medium |
| Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs. | ||||
| CVE-2023-54332 | 1 Automattic | 2 Jetpack, Jetpack Boost | 2026-03-05 | 6.1 Medium |
| Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page. | ||||
| CVE-2023-53985 | 1 Zippy | 1 Zstore | 2026-03-05 | 6.1 Medium |
| Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context. | ||||
| CVE-2022-50937 | 1 Ametys | 1 Ametys | 2026-03-05 | 6.1 Medium |
| Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modules. | ||||
| CVE-2022-50906 | 1 E107 | 2 E107, E107 Cms | 2026-03-05 | 4.8 Medium |
| e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed. | ||||
| CVE-2022-50905 | 1 E107 | 2 E107, E107 Cms | 2026-03-05 | 9.8 Critical |
| e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS. | ||||
| CVE-2021-47919 | 2 Simple-cms Project, Simplephpscripts | 3 Simple Cms, Simple Cms, Simple Cms Php | 2026-03-05 | 6.4 Medium |
| Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. | ||||
| CVE-2021-47917 | 2 Simple-cms Project, Simplephpscripts | 3 Simple Cms, Simple Cms, Simple Cms Php | 2026-03-05 | 6.4 Medium |
| Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute on user list preview, potentially leading to session hijacking and application manipulation. | ||||