By weakness (CWE)

CWE-79: related vulnerabilities

CVEs classified under CWE-79. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

71 published vulnerabilities

  • CVE-2026-43984HIGH 8.9

    Tautulli, a Python monitoring application for Plex Media Server, contains a stored cross-site scripting (XSS) vulnerability in versions before 2.17.1. The flaw allows low-privilege users—including guest accounts when enabled—to inject malicious code into application logs via an unauthenticated endpoint. When an administrator views the logs, the injected code executes in their browser without restriction, giving attackers control within the admin's session. This is a privilege escalation and lateral attack vector that requires only guest-level access to trigger.

  • CVE-2026-24751HIGH 8.2

    Kiteworks, a platform used to securely share and manage sensitive business data, contains a reflected cross-site scripting (XSS) vulnerability in its Secure Data Forms feature. An attacker can craft a malicious link that, when clicked by a legitimate user, causes the victim's browser to execute arbitrary JavaScript code within the context of the Kiteworks application. This could allow the attacker to steal session cookies, impersonate the user, or perform unauthorized actions on their behalf. The vulnerability affects all versions of Kiteworks prior to 9.3.0.

  • CVE-2026-24752HIGH 8.2

    Kiteworks, a private data network platform, contains a reflected cross-site scripting (XSS) flaw in its Secure Data Forms component that could allow an attacker to inject malicious JavaScript. An attacker could craft a deceptive link and trick a user into clicking it, causing the user's browser to execute arbitrary code in the context of their Kiteworks session. This is a social engineering attack vector rather than a direct infrastructure compromise, but the impact can be severe if the victim has administrative or sensitive data access.

  • CVE-2025-14773HIGH 8.0

    ABB T-MAC Plus versions up to 4.0-24 contain a cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious scripts into web pages. When another user views a page containing the injected script, the script executes in their browser with their privileges, potentially enabling attackers to steal sensitive information, hijack sessions, or perform unauthorized actions on behalf of victims. The vulnerability requires both user authentication and victim interaction, limiting but not eliminating its risk in multi-user environments.

  • CVE-2026-33245HIGH 8.0

    React Router, a widely-used routing library for React applications, contains a cross-site scripting (XSS) vulnerability in its experimental React Server Components (RSC) feature. Versions 7.7.0 through 7.13.1 are affected. If an attacker can influence redirect instructions sent to your application—for example, through a compromised backend endpoint or man-in-the-middle scenario—malicious code could execute in users' browsers. The vulnerability is limited to applications actively using the unstable RSC APIs; standard React Router implementations are not impacted. A patch is available in version 7.13.2.

  • CVE-2026-41518HIGH 7.6

    Chartbrew, an open-source data visualization platform, contains a stored cross-site scripting (XSS) vulnerability affecting versions 4.9.0 through 5.0.0. A project editor can inject malicious HTML and JavaScript into chart legend fields, which is then executed in the browsers of anyone viewing the public dashboard—including unauthenticated users—without requiring any user interaction. This allows an attacker to steal sensitive data, hijack user sessions, or perform actions on behalf of viewers.

  • CVE-2025-11262HIGH 7.2

    Link Whisper Free, a WordPress plugin, contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially allowing attackers to steal credentials, redirect users, or perform actions on their behalf. The vulnerability stems from improper handling of the user_id parameter and affects all versions up to 0.9.0.

  • CVE-2026-2374HIGH 7.2

    The Login No Captcha reCAPTCHA WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in all versions up to 1.8.0. An unauthenticated attacker can exploit this by triggering a login attempt from a non-standard login page URL (such as xmlrpc.php), which causes the plugin to store malicious JavaScript in the WordPress admin dashboard settings. When an administrator logs in within 30 seconds of the attack, that JavaScript executes in their browser with the administrator's privileges. The vulnerability requires the admin to have a whitelisted IP address configured in the plugin, which is a common configuration for sites restricting login access.

  • CVE-2025-15654HIGH 7.1

    CVE-2025-15654 is a reflected cross-site scripting (XSS) vulnerability in Fox-themes Prague versions 2.2.8 and earlier. An attacker can craft a malicious URL containing unsanitized input that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the vulnerable application. This allows the attacker to steal session cookies, perform actions on behalf of the victim, or redirect them to phishing sites—all without modifying the application itself.

  • CVE-2025-52759HIGH 7.1

    A reflected cross-site scripting (XSS) vulnerability exists in the UnboundStudio Accordion FAQ plugin affecting versions up to 2.2.1. An attacker can craft a malicious link that, when clicked by a user, executes arbitrary JavaScript in the victim's browser within the context of the affected site. This allows theft of session cookies, credential harvesting, malware injection, or other client-side attacks. The vulnerability requires user interaction—specifically clicking a malicious link—but has no authentication barrier, making it a straightforward social engineering vector.

  • CVE-2025-67448HIGH 7.1

    A stored cross-site scripting (XSS) vulnerability exists in the SMS module of Neterbit NW-431F routers running firmware version 20241014-IR03 and earlier. An attacker can craft a malicious SMS message and send it to a router user; when that user views the message, the embedded script executes in their browser. This allows attackers to steal session tokens, redirect users, inject fake content, or perform actions on behalf of the victim—all without the victim realizing they've been compromised through what appears to be a routine SMS.

  • CVE-2026-42678HIGH 7.1

    GiveWP, a popular WordPress donation and fundraising plugin maintained by Liquid Web/StellarWP, contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by site visitors. Unlike traditional XSS flaws, this vulnerability operates at the DOM (Document Object Model) level in the browser, meaning the attack payload is crafted and executed client-side rather than originating from the server. An attacker can trick a user into clicking a malicious link or visiting a compromised page, leading to credential theft, session hijacking, or unauthorized actions taken on behalf of the victim within the vulnerable GiveWP installation.

  • CVE-2026-42681HIGH 7.1

    E2Pdf.Com's e2pdf plugin contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. When a user visits a crafted link, the injected code executes in their browser within the context of the affected site, potentially allowing theft of session data, credentials, or sensitive information. The vulnerability affects e2pdf versions up to and including 1.32.14.

  • CVE-2026-42683HIGH 7.1

    VikBooking Hotel Booking Engine & PMS contains a DOM-based cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious link or embed JavaScript in user-controllable input fields; when a victim visits the page or interacts with the compromised element, the script executes in their browser with access to session data and sensitive information. This is a client-side vulnerability requiring user interaction but affecting multiple users through a single compromised page.

  • CVE-2026-42685HIGH 7.1

    Ahmad WP Job Portal versions up to 2.5.1 contain a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a specially designed link and trick a user into clicking it, causing the injected code to execute in that user's browser with their privileges. This vulnerability requires user interaction—the victim must click a malicious link—but once triggered, it can be used to steal session tokens, deface content, redirect users to phishing sites, or perform actions on behalf of the victim.

  • CVE-2026-42676MEDIUM 6.5

    myCred, a gamification and community engagement plugin, contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious scripts into web pages. Unlike reflected XSS attacks that require victims to click a link, stored XSS persists in the application's database, meaning any user—including administrators—who views the affected content will execute the attacker's code. The vulnerability affects myCred versions up to and including 3.0.4. An authenticated attacker could exploit this to steal session tokens, redirect users, deface content, or perform actions on behalf of legitimate users.

  • CVE-2025-14042MEDIUM 6.4

    The Automotive Car Dealership Business WordPress Theme contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 13.4.1. An attacker with contributor-level or higher permissions can inject malicious scripts into Portfolio Item 'Project Details' fields. These scripts will execute when other users view the affected pages, potentially compromising visitor sessions, stealing credentials, or defacing content. The vulnerability stems from the theme's failure to properly sanitize and escape user input in a custom field.

  • CVE-2026-2382MEDIUM 6.4

    The FPW Category Thumbnails WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.9.5. Any user with Subscriber-level access or higher can inject malicious JavaScript through the 'id' parameter in an AJAX function. This script persists in the plugin's settings and executes whenever an administrator views that page, potentially compromising administrator accounts. The vulnerability stems from the plugin failing to properly clean and escape user input before storing and displaying it.

  • CVE-2026-3722MEDIUM 6.4

    A WordPress plugin called 'Auto Image Attributes From Filename With Bulk Updater' fails to properly clean and display user-supplied data in image metadata fields. This allows authenticated users with Author-level permissions or higher to embed malicious code into image properties. When site visitors view pages containing the injected image, that code runs in their browsers—potentially stealing session cookies, performing actions on their behalf, or redirecting them to malicious sites. The vulnerability affects all versions up to and including 4.9.

  • CVE-2026-4080MEDIUM 6.4

    The Easy Cart plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its 'add_to_cart' shortcode. Attackers with Contributor-level access or above can inject malicious scripts into shortcode parameters that will execute for any user viewing the affected page. The vulnerability stems from incomplete sanitization—while HTML tags are stripped, quotation marks are not escaped, allowing attackers to break out of HTML attribute context and inject event handlers like onclick or onerror. All versions through 1.8 are affected.

  • CVE-2026-4081MEDIUM 6.4

    The ZeM STL plugin for WordPress contains a vulnerability that allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into website pages. When someone visits a page containing the injected script, their browser executes the attacker's code. This happens because the plugin doesn't properly clean or escape user input when processing shortcode parameters like 'url', 'color', and 'bgcolor'. All versions up to 1.0 are affected.

  • CVE-2026-4334MEDIUM 6.4

    The Shariff Wrapper plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 4.6.20. Attackers with Contributor-level access or higher can inject malicious scripts through the 'headline' parameter in the [shariff] shortcode. When other users view the affected page, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further compromise. The vulnerability stems from the plugin's use of a permissive HTML sanitization routine followed by unsafe string replacement operations that reintroduce dangerous content after the sanitization check.

  • CVE-2025-65640MEDIUM 6.3

    Arket Globe Document Intelligence version 5.0.0.559 contains a reflected cross-site scripting (XSS) vulnerability in the "Task in Progress / Recent" page. An authenticated attacker can inject malicious JavaScript into document creation fields that will execute in the browsers of other users viewing that page, potentially allowing session hijacking, credential theft, or other malicious actions performed on behalf of those users.

  • CVE-2026-25599MEDIUM 6.3

    This vulnerability affects Orca heat pump devices and their control portal. An attacker can intercept unencrypted communications between older Orca heat pumps and the control server, impersonate a legitimate device, and inject malicious code into the web portal. This injected code can steal user session cookies, compromise accounts, expose sensitive information, and grant attackers unauthorized access to the portal. The core issues are the lack of authentication, unencrypted HTTP connections, and missing input validation.

  • CVE-2026-39107MEDIUM 6.3

    Kimi AI v1.0 has a cross-site scripting (XSS) vulnerability in its Preview feature. When the AI generates code and displays it in the Preview tab, the application fails to sanitize the output properly. An attacker can embed malicious JavaScript in AI-generated responses, which then executes in a user's browser with the privileges of that session. This could allow theft of session cookies, unauthorized actions on behalf of the user, or credential harvesting.

  • CVE-2019-25731MEDIUM 6.1

    Zuz Music version 2.1 has a flaw that lets anyone send malicious code through the contact form without needing to log in. When site administrators read these messages, the injected code runs in their browsers, potentially allowing attackers to steal session data, modify settings, or trick them into performing unwanted actions. This is a persistent vulnerability, meaning the malicious payload stays stored on the server and affects every admin who views the inbox.

  • CVE-2019-25737MEDIUM 6.1

    Live Chat Unlimited version 2.8.3 contains a stored cross-site scripting (XSS) vulnerability in its chat input field. An unauthenticated attacker can inject malicious JavaScript code that persists in the system and executes when administrators access the chat interface. This allows attackers to steal admin session cookies, redirect users to phishing sites, or perform unauthorized actions within the admin dashboard without requiring authentication.

  • CVE-2026-10510MEDIUM 6.1

    A cross-site scripting (XSS) vulnerability exists in the GeniexWebView component of Transsion's AI Assistant Lifestyle application for Android. An attacker can craft a malicious URL containing injected JavaScript code in the web_action_data parameter, which the vulnerable WebView will execute with the same privileges as the application. This allows arbitrary JavaScript execution in the context of the app, potentially compromising user data or enabling phishing attacks. The vulnerability affects all versions of the application currently in distribution.

  • CVE-2026-1450MEDIUM 6.1

    The rognone WordPress plugin contains a reflected cross-site scripting (XSS) flaw that allows unauthenticated attackers to inject malicious scripts into web pages. The vulnerability exists in how the plugin handles the 'mode' parameter—it fails to properly sanitize user input and escape output, creating an opening for attackers to craft malicious links. If a user clicks such a link while using a site running the vulnerable plugin, the attacker's script executes in their browser with access to session data and sensitive information.

  • CVE-2026-1451MEDIUM 6.1

    The rognone plugin for WordPress contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript into pages viewed by unsuspecting users. An attacker could craft a malicious link containing JavaScript in the 'a' parameter and trick a user into clicking it, causing the script to execute in their browser within the context of the WordPress site. This works because the plugin fails to properly sanitize user input or escape output before displaying it. The vulnerability affects versions up to and including 0.6.2.

  • CVE-2026-20233MEDIUM 6.1

    Cisco Webex Meetings contained a cross-site scripting (XSS) vulnerability in its web interface that could allow an attacker to inject malicious scripts if a user clicked a crafted link. The vulnerability resulted from weak input validation. Cisco has already patched the service, and users do not need to take action—the fix has been deployed automatically.

  • CVE-2026-2425MEDIUM 6.1

    The hiWeb Migration Simple WordPress plugin contains a reflected cross-site scripting (XSS) vulnerability in how it handles the 'new_domain' parameter. An attacker can craft a malicious link and trick a WordPress administrator into clicking it, causing arbitrary JavaScript to execute in the admin's browser session. This could allow the attacker to steal session tokens, modify site content, or perform administrative actions on behalf of the compromised admin. The vulnerability affects all versions through 2.0.0.1.

  • CVE-2026-30586MEDIUM 6.1

    A cross-site scripting (XSS) vulnerability exists in usememos Memos version 0.26.0 that allows an attacker to inject malicious code into memo pages. When a user views a compromised memo—whether public or private—the attacker's script executes in the user's browser, potentially exposing sensitive information. The vulnerability stems from improper sanitization of user input in the memo rendering component, meaning the application fails to adequately strip or encode dangerous HTML and JavaScript before displaying memo content.

  • CVE-2026-33553MEDIUM 6.1

    Northern.tech CFEngine Enterprise contains a cross-site scripting (XSS) vulnerability in versions 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1. An attacker can inject malicious scripts that execute in the browser context of users interacting with the CFEngine Enterprise interface, potentially compromising user sessions or stealing sensitive information without requiring authentication.

  • CVE-2026-35212MEDIUM 6.1

    OpenCTI, an open-source threat intelligence platform, contains a cross-site scripting (XSS) vulnerability in how it renders email message data. An attacker can craft a malicious email observable with unsanitized content in the message body, which executes JavaScript in a victim's browser when they view it. Because threat intelligence is often shared across teams via STIX files or automated ingesters, this could be weaponized to steal session cookies at scale, potentially compromising multiple analysts' accounts. The vulnerability requires user interaction—someone must view the crafted email observable—but the attack surface is broad given how threat intelligence is typically distributed.

  • CVE-2026-36324MEDIUM 6.1

    SourceCodester Doctor Appointment System version 1.0 contains a Cross-Site Scripting (XSS) vulnerability in its user registration form. An attacker can inject malicious scripts into the registration page, which are then executed in the browsers of other users who view that registration data. This allows the attacker to steal session cookies, redirect users to phishing sites, or perform actions on behalf of legitimate users without their knowledge.

  • CVE-2026-42253MEDIUM 6.1

    Apache ActiveMQ's web console contains a cross-site scripting (XSS) vulnerability that allows an attacker to inject malicious content into HTTP response headers. The flaw exists in how the MessageServlet handles JMS message properties—it copies them directly into HTTP headers without filtering or validation. An attacker who can craft a JMS message with specially crafted properties could inject security headers, potentially leading to session hijacking, credential theft, or malware delivery when a user views the affected web console. The vulnerability requires user interaction (a victim must view the injected content) and affects versions of ActiveMQ and ActiveMQ Web released before 5.19.7 and 6.2.6.

  • CVE-2026-28116MEDIUM 5.9

    Emilia Projects Progress Planner versions 1.9.0 and earlier contain a stored cross-site scripting (XSS) vulnerability that allows authenticated administrators to inject malicious scripts into the application. When other users view affected pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further lateral movement within the application environment.

  • CVE-2025-5085MEDIUM 5.5

    The WP Nano AD plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions 1.31 and earlier. An authenticated administrator can inject malicious scripts through the 'blogrole_link' parameter that persist in the database and execute in the browsers of users who view affected pages. The vulnerability is limited to WordPress multisite installations or those with the 'unfiltered_html' capability disabled, which narrows its real-world scope but makes it critical for affected deployments.

  • CVE-2018-25384MEDIUM 5.4

    Wikidforum 2.20 has a stored cross-site scripting (XSS) flaw that lets authenticated users inject malicious JavaScript into forum replies. When other users view those compromised posts through the rpc.php endpoint, the injected code executes in their browsers, potentially stealing session cookies, redirecting to phishing pages, or performing unauthorized actions on their behalf.

  • CVE-2019-25739MEDIUM 5.4

    GigToDo version 1.3 is vulnerable to a stored cross-site scripting (XSS) attack. An authenticated user can inject malicious JavaScript or HTML code into a proposal description field. When other users—particularly administrators—view that proposal, the attacker's code executes in their browser, potentially stealing session cookies or redirecting them to malicious sites. The vulnerability requires an attacker to already have valid login credentials, but the impact affects anyone who later views the compromised proposal.

  • CVE-2019-25742MEDIUM 5.4

    The Zoner Real Estate WordPress theme version 4.1.1 has a stored cross-site scripting (XSS) flaw in its property creation form. Authenticated real estate agents can inject malicious JavaScript into the property's address field, and that script will execute when site administrators review the property for approval. This could allow attackers to steal admin session cookies or hijack their accounts.

  • CVE-2019-25743MEDIUM 5.4

    WordPress Soliloquy Lite version 2.5.6 contains a stored cross-site scripting (XSS) vulnerability in its post editing functionality. An authenticated attacker can inject malicious JavaScript code into a post's title field, which persists in the WordPress database. When other users—particularly administrators or editors—preview that post, the injected script executes in their browser, potentially compromising their session or enabling further attacks. The vulnerability requires an attacker to have valid WordPress credentials but does not require tricking users into clicking malicious links, making it a genuine persistence risk in multi-user WordPress environments.

  • CVE-2019-25744MEDIUM 5.4

    WordPress Popup Builder version 3.49 contains a stored cross-site scripting (XSS) flaw that allows authenticated users to inject malicious JavaScript into posts or pages. An attacker with WordPress login credentials can craft a specially formatted post title containing script code that breaks out of HTML option tags, causing the malicious script to execute in the browsers of site visitors viewing popup selections. This is a persistence vulnerability—the injected code remains in the database and executes repeatedly.

  • CVE-2026-24754MEDIUM 5.4

    Kiteworks, a private data network platform used for secure file sharing and collaboration, contains a stored cross-site scripting (XSS) vulnerability in its Secure Data Forms feature. An authenticated user with legitimate access could craft malicious input that persists in the application and executes in other users' browsers when they view the affected form. This allows the attacker to steal session tokens, perform actions on behalf of victims, or harvest sensitive data passing through their sessions. The vulnerability requires prior authentication and user interaction (clicking a link or viewing a page), limiting but not eliminating its risk. Kiteworks versions before 9.3.0 are affected; upgrading resolves the issue.

  • CVE-2026-26378MEDIUM 5.4

    Koha, an open-source library management system, contains a cross-site scripting (XSS) vulnerability in its Invoice feature file upload functionality. An authenticated attacker can craft a malicious file upload that executes arbitrary code in the browsers of users who interact with the uploaded invoice. The vulnerability affects Koha version 25.11 and earlier. Exploitation requires an attacker to have valid library system credentials and user interaction—typically a staff member viewing or processing the invoice.

  • CVE-2026-33244MEDIUM 5.4

    React Router versions 7.5.1 through 7.13.1 contain a cross-site scripting (XSS) vulnerability when used in Framework Mode with pre-rendering. If your application redirects users to untrusted URLs and generates static HTML files during build time, attackers can inject malicious scripts into those pre-rendered pages. This vulnerability does not affect applications using the more common Declarative Mode or Data Mode routing approaches. The issue has been fixed in version 7.13.2.

  • CVE-2026-43979MEDIUM 5.0

    Local Deep Research versions before 1.6.0 contain a vulnerability where user-supplied search queries and metadata are inserted directly into HTML without proper escaping before being converted to PDF. An authenticated user can inject HTML tags that trick the server into making unauthorized web requests (SSRF), bypassing existing security controls. The vulnerability requires valid credentials but poses moderate risk due to potential confidentiality impact.

  • CVE-2026-10057MEDIUM 4.8

    ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with elevated privileges to inject malicious JavaScript code into the application. Once injected, this code persists in the system and executes automatically whenever other users load affected pages in their browsers. This is distinct from reflected XSS because the payload remains embedded in the application, posing a sustained risk to all users who access the compromised content.

  • CVE-2026-10058MEDIUM 4.8

    ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) flaw that lets high-privilege attackers inject malicious JavaScript into the system. When other users load affected pages, that injected code runs in their browsers automatically. This is a persistence threat—the malicious script stays in the system until removed, affecting anyone who accesses the compromised page.

  • CVE-2026-34127MEDIUM 4.8

    A stored cross-site scripting (XSS) vulnerability exists in TP-Link's TL-SG108PE v5 managed switch web interface. When an administrator imports a configuration file containing malicious code in the SYSNAM parameter, that code is stored without proper sanitization. The next time an administrator accesses the web management interface, the injected script executes in their browser. This could allow an attacker (who must already have administrator credentials) to steal session cookies, modify switch settings, or extract sensitive information from the management interface.

  • CVE-2026-36460MEDIUM 4.8

    Dovestones Software's ADPhonebook application before version 4.0.1.1 contains a Cross-Site Scripting (XSS) vulnerability in its administrative configuration API. An authenticated administrator can inject malicious JavaScript code into various system configuration sections, which is then stored and executed in the browsers of other users who access those settings. This requires both admin privileges and user interaction (a victim must view the affected configuration), limiting but not eliminating the risk.

  • CVE-2026-10100MEDIUM 4.4

    The Simple Custom Login Page plugin for WordPress contains a security flaw that allows administrators to inadvertently inject malicious code into the login page viewed by all users. When a site admin configures colors for the login page through the plugin's settings, an attacker with admin access can craft CSS injection payloads in those color fields. Because the plugin doesn't properly validate these inputs before displaying them, an attacker can break out of the intended styling context and insert arbitrary CSS rules. This enables phishing attacks—for example, by hiding the real login form or overlaying a fake one to steal credentials.

  • CVE-2026-10153MEDIUM 4.3

    A cross-site scripting (XSS) vulnerability has been identified in westboy CicadasCMS. The flaw exists in the Search function and can be exploited by manipulating a specific argument to inject malicious scripts. An attacker can send a crafted request to a vulnerable instance to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session data, credentials, or performing actions on their behalf. Exploitation requires user interaction (such as clicking a malicious link) but does not require authentication. A proof-of-concept has already been published, increasing practical risk.

  • CVE-2026-10173MEDIUM 4.3

    Orthanc Explorer 2 versions up to 1.12.0 contain a reflected cross-site scripting (XSS) vulnerability in the StudyList component. An attacker can craft a malicious URL with a specially crafted 'remote-source' parameter that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the Orthanc application. This allows theft of session tokens, modification of data, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction—a victim must click a malicious link—but can be exploited remotely without authentication.

  • CVE-2026-10289MEDIUM 4.3

    A cross-site scripting (XSS) vulnerability exists in Hotel and Tourism Reservation System version 1.0. An attacker can inject malicious scripts by manipulating parameters in the reservation form—specifically the name, email, people count, or booking number fields in the /ht/tour.php file. When a victim visits a crafted link or page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or defacement. Public exploits are available, increasing active exploitation risk.

  • CVE-2026-10301MEDIUM 4.3

    A reflected cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0. An attacker can craft a malicious URL containing JavaScript code in the 'page' parameter of index.php. When a user visits this link, the script executes in their browser, potentially allowing theft of session cookies, credential capture, or malware redirection. The vulnerability requires user interaction (clicking a link) but poses a meaningful risk to organizations running this system, especially those handling sensitive fee or financial data.

  • CVE-2026-10810MEDIUM 4.3

    A cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0 and earlier. The flaw is located in the /navbar.php file, where unsanitized input in the 'page' parameter allows an attacker to inject malicious scripts. An attacker can craft a malicious URL and trick a user into clicking it, causing the injected script to execute in the victim's browser. This could lead to session hijacking, credential theft, or malware distribution. Public exploit code is available, increasing the risk of opportunistic attacks.

  • CVE-2026-32250MEDIUM 4.3

    NamelessMC, a website platform used for Minecraft server management, contains a reflected cross-site scripting (XSS) vulnerability in version 2.2.4. The flaw exists in how the application handles the `id` parameter on the user queries endpoint. An attacker can embed malicious JavaScript in a specially crafted URL; when a user clicks that link, the script runs in their browser with access to the site's session and data. This could enable attackers to steal session cookies, redirect users to phishing pages, or modify page content to deceive users.

  • CVE-2026-37700MEDIUM 4.1

    MaxSite CMS version 109.2 contains a cross-site scripting (XSS) vulnerability in its backend file upload feature that allows authenticated attackers to inject malicious scripts. When an administrator performs a file upload through the admin page endpoint, an attacker with login credentials could craft a request that executes JavaScript in the victim's browser, potentially exposing sensitive information displayed during the upload process.

  • CVE-2026-42401MEDIUM 4.1

    CVE-2026-42401 is a stored HTML injection vulnerability in Kibana that allows an attacker with write access to an Elasticsearch index to inject malicious markup. When other users view the affected Kibana dashboard or visualization, the injected code is not properly sanitized before rendering in their browser. This can enable unauthorized UI changes and cause the victim's browser to make unintended outbound network requests on their behalf.

  • CVE-2026-10228LOW 3.5

    A cross-site scripting (XSS) vulnerability exists in the raisulislamg4 student_management_system_by_php project. The flaw resides in the admission_form_check.php file, where user input passed through the Message parameter is not properly sanitized before being reflected in the web response. An authenticated attacker can craft malicious input that, when viewed by another user, executes arbitrary JavaScript in their browser. The vulnerability requires user interaction (clicking a malicious link) and affects only the integrity of data, not confidentiality or availability. Public exploit details are available, though the CVSS 3.5 score reflects the relatively constrained attack scenario requiring authentication and browser-based execution.

  • CVE-2026-10234LOW 3.5

    Mettle sendportal versions up to 3.0.1 contain a cross-site scripting (XSS) vulnerability in the Campaign Handler component. An authenticated attacker can inject malicious scripts through the content parameter in the /webview/ endpoint, potentially allowing them to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability requires user interaction to be effective and does not grant direct administrative access. Exploit code is publicly available, elevating practical risk despite the low CVSS score.

  • CVE-2026-10244LOW 3.5

    SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in the medicine name creation function. An authenticated user can inject malicious script code through the medicine_name parameter, which executes in the context of other users' browsers. The vulnerability requires user interaction (clicking a link or visiting a page) to trigger, and an attacker must have valid login credentials to exploit it. Public exploits are now available.

  • CVE-2026-10245LOW 3.5

    SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in its supplier creation functionality. An authenticated user can inject malicious code through the company name field when creating a supplier record. This code executes in the browsers of other users who view the supplier information, potentially allowing attackers to steal session tokens, redirect users to malicious sites, or perform unauthorized actions on their behalf. Public exploits for this vulnerability are already available.

  • CVE-2026-10246LOW 3.5

    A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated user can inject malicious scripts through the medicine presentation creation function, which are then executed in the browsers of other users who view that data. The attack requires user interaction and does not grant elevated privileges, but can be used to steal session tokens, redirect users, or perform actions on their behalf within the application.

  • CVE-2026-10247LOW 3.5

    A cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated attacker can inject malicious scripts through the generic_name parameter in the create_generic_name function, which the application will then execute in users' browsers. This could allow the attacker to steal session cookies, hijack user accounts, or manipulate pharmacy data. The vulnerability requires user interaction to trigger and an authenticated account to exploit, limiting its immediate impact, but public exploit code is now available.

  • CVE-2026-10567LOW 3.5

    A stored cross-site scripting (XSS) vulnerability exists in 1Panel-dev CordysCRM versions up to 1.4.1. An authenticated attacker can inject malicious JavaScript into the Description field of the ModuleFormController, which will execute in the browsers of other users who view the affected module form. The vulnerability requires user interaction (viewing the crafted form) to trigger, and does not grant the attacker direct access to sensitive data or system functions. Upgrading to version 1.7.0 resolves the issue.

  • CVE-2026-10112LOW 2.4

    CVE-2026-10112 is a stored or reflected cross-site scripting (XSS) vulnerability in the Dashboard Page component of STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker with high privileges can inject malicious scripts through the Name parameter, which are then executed in the browsers of users who view the affected page. The vulnerability requires user interaction and has a low CVSS score of 2.4, but exploitation has already been disclosed publicly.

  • CVE-2026-10514LOW 2.4

    A cross-site scripting (XSS) vulnerability exists in CordysCRM versions up to 1.6.2. The flaw is located in a request parameter handling component and allows attackers with administrative privileges to inject malicious scripts that execute in users' browsers. While public exploit code is available, the attack requires both high-level credentials and user interaction (such as clicking a malicious link), significantly limiting real-world risk. Upgrading to version 1.7.0 resolves the issue.

  • CVE-2026-10529LOW 2.4

    A cross-site scripting (XSS) vulnerability has been discovered in westboy CicadasCMS affecting the Task Scheduling Management Module. The flaw exists in the ScheduleJobController component and can be triggered by an authenticated user with elevated privileges through a specially crafted request. While the vulnerability requires administrative or high-privilege access to exploit, the presence of user interaction (rendering) combined with public availability of exploit details elevates attention. The CMS uses a rolling release model, making definitive version tracking difficult, though the affected commit hash has been identified.