By weakness (CWE)
CWE-79: related vulnerabilities
CVEs classified under CWE-79. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
261 published vulnerabilities · page 3 of 3
- CVE-2026-5191MEDIUM 5.4
The Tiled Gallery Carousel Without JetPack WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in versions up to 3.1. An attacker with contributor-level access or higher can inject malicious scripts into gallery image titles that will execute in the browsers of anyone viewing the affected page. This is a persistence concern because the malicious code is permanently stored in the site's database.
- CVE-2026-7186MEDIUM 5.4
A stored cross-site scripting (XSS) vulnerability exists in Checkmk's URL dashboard widget that allows authenticated users with dashboard editing permissions to inject malicious scripts. When other users view an affected dashboard, these scripts execute in their browsers without their knowledge. The vulnerability affects Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions. An attacker needs valid Checkmk credentials and dashboard edit access to exploit this flaw.
- CVE-2026-8833MEDIUM 5.4
Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases contain a flaw in how they validate URLs. An authenticated attacker can craft a malicious link using HTML encoding tricks to bypass the validation system and inject harmful URLs—such as javascript: links—into the application. When another user clicks or interacts with the crafted link, it can execute arbitrary JavaScript in their browser, compromising their session and data.
- CVE-2026-9308MEDIUM 5.4
Firefox for iOS Reader View had a template injection vulnerability where malicious web pages could exploit the order of placeholder substitution to inject JavaScript. When the app converted page content into Reader View, it processed user-controlled content before handling internal JSON-LD data placeholders. An attacker could craft a webpage with a specially-formatted string that, after substitution, becomes executable JavaScript code. This requires user interaction—the victim must open the malicious page and enable Reader View.
- CVE-2026-9309MEDIUM 5.4
Firefox for iOS Reader View had a vulnerability that failed to properly sanitize HTML tags embedded in JSON-LD metadata on web pages. An attacker could craft a malicious website that injects markup into Reader View, disrupting its normal behavior and extracting sensitive URL parameters—such as authentication tokens or session identifiers—that users might not realize were being exposed. In certain scenarios, this could allow an attacker to redirect those parameters toward internal endpoints, potentially enabling arbitrary JavaScript execution within a privileged origin. Mozilla fixed this issue in Firefox for iOS version 151.2.
- CVE-2026-9811MEDIUM 5.4
Mautic 7 contains a stored cross-site scripting (XSS) flaw in its project selector component. An authenticated user with project creation permissions can inject malicious JavaScript into a project name. When an admin later opens an entity editor that displays that project in a dropdown, the script runs in the admin's browser—potentially allowing the attacker to steal sessions, manipulate data, or access sensitive dashboard information. The vulnerability requires user interaction (admin opening the editor) and valid authentication to exploit, making it a medium-risk issue that is not currently tracked as actively exploited in the wild.
- CVE-2026-9971MEDIUM 5.4
A vulnerability in Google Chrome on iOS allows attackers to inject malicious scripts or HTML code into web pages when a user performs specific interactions with the browser. An attacker would need to craft a deceptive webpage and convince a user to engage with it in particular ways—such as specific taps or gestures—to trigger the injection. Once successful, the attacker gains the ability to run arbitrary code in the context of the webpage, potentially stealing data or modifying what the user sees.
- CVE-2026-8474MEDIUM 5.3
A reflected cross-site scripting (XSS) vulnerability exists in the login API of Stormshield Network Security (SNS) appliances. An attacker can craft a malicious link or inject code that, when accessed by a user, executes arbitrary JavaScript in their browser. This could allow theft of session cookies, capture of credentials, or redirection to phishing sites. The vulnerability affects versions 4.3.0–4.3.41, 4.8.0–4.8.15, and 5.0.0–5.0.5.
- CVE-2026-43979MEDIUM 5.0
Local Deep Research versions before 1.6.0 contain a vulnerability where user-supplied search queries and metadata are inserted directly into HTML without proper escaping before being converted to PDF. An authenticated user can inject HTML tags that trick the server into making unauthorized web requests (SSRF), bypassing existing security controls. The vulnerability requires valid credentials but poses moderate risk due to potential confidentiality impact.
- CVE-2026-10057MEDIUM 4.8
ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with elevated privileges to inject malicious JavaScript code into the application. Once injected, this code persists in the system and executes automatically whenever other users load affected pages in their browsers. This is distinct from reflected XSS because the payload remains embedded in the application, posing a sustained risk to all users who access the compromised content.
- CVE-2026-10058MEDIUM 4.8
ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) flaw that lets high-privilege attackers inject malicious JavaScript into the system. When other users load affected pages, that injected code runs in their browsers automatically. This is a persistence threat—the malicious script stays in the system until removed, affecting anyone who accesses the compromised page.
- CVE-2026-25558MEDIUM 4.8
QloApps versions up to 1.7.0 contain a stored cross-site scripting (XSS) vulnerability in the admin file manager. An authenticated administrator can upload a specially crafted SVG file containing malicious JavaScript code. When any user subsequently views or accesses that file, the embedded script executes in their browser, potentially compromising their session or stealing sensitive information. The vulnerability requires administrator-level access to exploit but poses a persistent risk once injected.
- CVE-2026-34127MEDIUM 4.8
A stored cross-site scripting (XSS) vulnerability exists in TP-Link's TL-SG108PE v5 managed switch web interface. When an administrator imports a configuration file containing malicious code in the SYSNAM parameter, that code is stored without proper sanitization. The next time an administrator accesses the web management interface, the injected script executes in their browser. This could allow an attacker (who must already have administrator credentials) to steal session cookies, modify switch settings, or extract sensitive information from the management interface.
- CVE-2026-36460MEDIUM 4.8
Dovestones Software's ADPhonebook application before version 4.0.1.1 contains a Cross-Site Scripting (XSS) vulnerability in its administrative configuration API. An authenticated administrator can inject malicious JavaScript code into various system configuration sections, which is then stored and executed in the browsers of other users who access those settings. This requires both admin privileges and user interaction (a victim must view the affected configuration), limiting but not eliminating the risk.
- CVE-2026-8078MEDIUM 4.8
Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases contain a stored cross-site scripting (XSS) vulnerability in the global settings change log. An administrator with permission to modify global settings can inject malicious HTML or JavaScript into changelog messages. When other users view the Activate Changes page or Audit log, this malicious code executes in their browsers, potentially compromising their sessions or stealing information.
- CVE-2026-9549MEDIUM 4.8
Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases contain a stored cross-site scripting vulnerability in the service discovery active check output feature. An administrator with the ability to configure active or custom checks can inject malicious HTML or JavaScript that will execute in the browsers of other administrators or users with host read permissions when they view or run checks on the service discovery page. The attack is persistent—the injected code remains in the system until removed.
- CVE-2026-44757MEDIUM 4.7
SAP Wily Introscope Enterprise Manager contains a cross-site scripting (XSS) vulnerability that allows an attacker to inject malicious code into a specially crafted URL. When a legitimate user visits that URL, the attacker's script runs in their browser under the application's security context. This could expose sensitive session data or allow the attacker to perform actions on behalf of the victim. The vulnerability requires the attacker to trick a user into clicking a link, and carries a CVSS 4.7 (Medium) severity rating.
- CVE-2026-45462MEDIUM 4.6
CVE-2026-45462 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that allows an authorized user to inject malicious scripts into web pages. When other users view the affected page, the script executes in their browser, potentially allowing the attacker to steal session data, redirect users, or impersonate trusted content. The vulnerability requires an authenticated attacker and user interaction (such as clicking a link), limiting its blast radius but making it a meaningful concern for organizations where SharePoint access is broadly distributed.
- CVE-2026-45467MEDIUM 4.6
CVE-2026-45467 is a cross-site scripting (XSS) vulnerability in Microsoft SharePoint that allows an authenticated user to inject malicious scripts into web pages. When another user views the compromised page, the script executes in their browser, potentially allowing the attacker to steal credentials, manipulate content they see, or impersonate the attacker. The vulnerability requires an authorized SharePoint user to set it up and a victim to click or view the malicious content, limiting its reach but making it effective in insider threat scenarios.
- CVE-2026-45468MEDIUM 4.6
CVE-2026-45468 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that allows an authenticated user to inject malicious scripts into web pages. When a victim views the compromised page, the attacker can steal sensitive information or impersonate the victim within SharePoint. The vulnerability requires an authorized account to exploit and user interaction to trigger, making it moderate in severity but still a genuine risk in environments where SharePoint users have elevated privileges or access to sensitive data.
- CVE-2026-45479MEDIUM 4.6
CVE-2026-45479 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that allows an authenticated attacker to inject malicious code into web pages. When a user views the compromised page, the attacker can steal session credentials, redirect users to phishing sites, or perform actions on behalf of the victim. The attack requires both valid SharePoint credentials and user interaction (clicking a malicious link or visiting a crafted page), which moderates its overall risk.
- CVE-2026-45483MEDIUM 4.6
Microsoft Office Project Server contains a cross-site scripting (XSS) vulnerability that allows an authenticated user to inject malicious code into web pages viewed by others. An attacker would need valid login credentials and would require a victim to interact with a crafted link or page element. The injected code runs in the victim's browser in the context of Project Server, enabling spoofing attacks such as credential theft or unauthorized actions on behalf of the user. This is a moderate-severity issue that primarily affects organizations where Project Server access is restricted to authenticated users.
- CVE-2026-47637MEDIUM 4.6
CVE-2026-47637 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that allows an authenticated attacker to inject malicious script into web pages. When a user views a compromised page, the attacker can steal session tokens, redirect users to phishing sites, or perform actions on behalf of the victim. The attack requires an authorized attacker and user interaction (clicking a link or viewing content), limiting its immediate blast radius but still representing a meaningful risk in collaborative environments where SharePoint is heavily used.
- CVE-2026-47638MEDIUM 4.6
CVE-2026-47638 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that allows an authenticated attacker to inject malicious scripts into web pages. When a user views the compromised page, the attacker's script executes in their browser, enabling spoofing attacks—such as phishing, credential theft, or session hijacking—while appearing to come from a trusted SharePoint instance. The vulnerability requires user interaction and existing authentication, limiting but not eliminating the risk in organizations with many SharePoint users.
- CVE-2026-47640MEDIUM 4.6
Microsoft Office SharePoint contains a cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject malicious scripts into web pages. When a user with appropriate permissions views a compromised page, the injected script executes in their browser, potentially allowing the attacker to steal session tokens, modify page content, or redirect users to malicious sites. This is a reflected or stored XSS flaw depending on how SharePoint processes and stores the unfiltered input.
- CVE-2026-48562MEDIUM 4.6
CVE-2026-48562 is a cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server that allows an authorized user to inject malicious code into web pages. When other users view the compromised page, the attacker's code executes in their browser, enabling spoofing attacks—impersonation or manipulation of content that appears to come from legitimate sources. This requires an attacker already have valid SharePoint credentials and the victim must interact with the malicious content, but once those conditions are met, the attack is straightforward to execute.
- CVE-2026-10100MEDIUM 4.4
The Simple Custom Login Page plugin for WordPress contains a security flaw that allows administrators to inadvertently inject malicious code into the login page viewed by all users. When a site admin configures colors for the login page through the plugin's settings, an attacker with admin access can craft CSS injection payloads in those color fields. Because the plugin doesn't properly validate these inputs before displaying them, an attacker can break out of the intended styling context and insert arbitrary CSS rules. This enables phishing attacks—for example, by hiding the real login form or overlaying a fake one to steal credentials.
- CVE-2026-7421MEDIUM 4.4
A WordPress plugin called Passeum Ticketing contains a vulnerability that allows site administrators to inadvertently (or maliciously in compromised accounts) inject malicious scripts into a website. The plugin fails to properly validate the shop name setting, allowing an attacker with admin access to point the site to a malicious domain. When this happens, the plugin loads JavaScript and CSS files from that attacker-controlled domain, which then executes on every page of the website for all visitors. This is a stored cross-site scripting (XSS) vulnerability specific to multisite WordPress installations.
- CVE-2026-7430MEDIUM 4.4
The Post Snippets plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to 4.0.19. An authenticated administrator can inject malicious code through the plugin's import feature. When that code is imported, it gets embedded unsafely into the post editor's JavaScript, allowing the attacker to execute arbitrary scripts that run whenever any administrator opens a post editor page. This is a privilege-escalation and persistence risk: an attacker with admin access can compromise the experience of other admins and potentially maintain control across sessions.
- CVE-2026-8991MEDIUM 4.4
A WordPress plugin called 'Drag and Drop Multiple File Upload for Contact Form 7' contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.3.9.7. An attacker with administrator access can inject malicious scripts into the plugin's settings, which will then execute in the browsers of any user who views the affected pages. This is a privilege-escalation risk that exploits insufficient input validation on two specific settings fields.
- CVE-2026-9594MEDIUM 4.4
The WP Maps plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 4.9.4. An attacker with administrator access or a custom role granted the wpgmp_manage_location capability can inject malicious scripts into location messages. These scripts execute whenever site visitors access pages containing the injected content, potentially compromising user sessions, stealing credentials, or redirecting visitors to malicious sites. The vulnerability requires authenticated access and administrative privileges, limiting its immediate risk but making it a concern for organizations with admin account security gaps or custom role configurations.
- CVE-2026-10153MEDIUM 4.3
A cross-site scripting (XSS) vulnerability has been identified in westboy CicadasCMS. The flaw exists in the Search function and can be exploited by manipulating a specific argument to inject malicious scripts. An attacker can send a crafted request to a vulnerable instance to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session data, credentials, or performing actions on their behalf. Exploitation requires user interaction (such as clicking a malicious link) but does not require authentication. A proof-of-concept has already been published, increasing practical risk.
- CVE-2026-10173MEDIUM 4.3
Orthanc Explorer 2 versions up to 1.12.0 contain a reflected cross-site scripting (XSS) vulnerability in the StudyList component. An attacker can craft a malicious URL with a specially crafted 'remote-source' parameter that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the Orthanc application. This allows theft of session tokens, modification of data, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction—a victim must click a malicious link—but can be exploited remotely without authentication.
- CVE-2026-10289MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in Hotel and Tourism Reservation System version 1.0. An attacker can inject malicious scripts by manipulating parameters in the reservation form—specifically the name, email, people count, or booking number fields in the /ht/tour.php file. When a victim visits a crafted link or page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or defacement. Public exploits are available, increasing active exploitation risk.
- CVE-2026-10301MEDIUM 4.3
A reflected cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0. An attacker can craft a malicious URL containing JavaScript code in the 'page' parameter of index.php. When a user visits this link, the script executes in their browser, potentially allowing theft of session cookies, credential capture, or malware redirection. The vulnerability requires user interaction (clicking a link) but poses a meaningful risk to organizations running this system, especially those handling sensitive fee or financial data.
- CVE-2026-10810MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0 and earlier. The flaw is located in the /navbar.php file, where unsanitized input in the 'page' parameter allows an attacker to inject malicious scripts. An attacker can craft a malicious URL and trick a user into clicking it, causing the injected script to execute in the victim's browser. This could lead to session hijacking, credential theft, or malware distribution. Public exploit code is available, increasing the risk of opportunistic attacks.
- CVE-2026-11337MEDIUM 4.3
A reflected cross-site scripting (XSS) vulnerability exists in tittuvarghese CollegeManagementSystem affecting the fetch.php endpoint. An attacker can inject malicious scripts through the department_name parameter, which are then executed in a victim's browser when they interact with a crafted link. The attack requires user interaction but no authentication, making it a practical threat in educational environments where students and staff may click on shared links. Public exploit code is available, increasing the likelihood of opportunistic attacks.
- CVE-2026-11436MEDIUM 4.3
Mage AI versions up to 0.9.79 contain a reflected cross-site scripting (XSS) vulnerability in the sign-in flow. An attacker can craft a malicious URL with a manipulated redirect parameter that, when clicked by a user, executes JavaScript in the victim's browser within the context of the Mage AI application. The vulnerability requires user interaction—someone must click the malicious link—but no authentication is needed to trigger it. Public exploit details are now available.
- CVE-2026-11512MEDIUM 4.3
A cross-site scripting (XSS) vulnerability has been discovered in itsourcecode Hospital Management System version 1.0. The flaw exists in the billing module (/billing.php) and can be triggered by manipulating the patientid parameter. An attacker can craft a malicious link or form that, when clicked by a hospital staff member or administrator, injects arbitrary JavaScript into their browser session. This could allow the attacker to steal session credentials, modify billing records, or perform unauthorized actions on behalf of the logged-in user. The vulnerability requires user interaction (a victim must click a malicious link) but needs no authentication to set up the attack. Public exploit details are available, increasing real-world risk.
- CVE-2026-11518MEDIUM 4.3
SourceCodester Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in its user management functionality. An attacker can inject malicious code through the fullname or username fields in the /users.php file, which is then reflected back to users viewing that data. While the vulnerability requires user interaction (such as clicking a malicious link), it could be exploited remotely to steal session cookies, redirect users, or perform actions on their behalf within the application.
- CVE-2026-32250MEDIUM 4.3
NamelessMC, a website platform used for Minecraft server management, contains a reflected cross-site scripting (XSS) vulnerability in version 2.2.4. The flaw exists in how the application handles the `id` parameter on the user queries endpoint. An attacker can embed malicious JavaScript in a specially crafted URL; when a user clicks that link, the script runs in their browser with access to the site's session and data. This could enable attackers to steal session cookies, redirect users to phishing pages, or modify page content to deceive users.
- CVE-2026-37700MEDIUM 4.1
MaxSite CMS version 109.2 contains a cross-site scripting (XSS) vulnerability in its backend file upload feature that allows authenticated attackers to inject malicious scripts. When an administrator performs a file upload through the admin page endpoint, an attacker with login credentials could craft a request that executes JavaScript in the victim's browser, potentially exposing sensitive information displayed during the upload process.
- CVE-2026-42401MEDIUM 4.1
CVE-2026-42401 is a stored HTML injection vulnerability in Kibana that allows an attacker with write access to an Elasticsearch index to inject malicious markup. When other users view the affected Kibana dashboard or visualization, the injected code is not properly sanitized before rendering in their browser. This can enable unauthorized UI changes and cause the victim's browser to make unintended outbound network requests on their behalf.
- CVE-2026-10228LOW 3.5
A cross-site scripting (XSS) vulnerability exists in the raisulislamg4 student_management_system_by_php project. The flaw resides in the admission_form_check.php file, where user input passed through the Message parameter is not properly sanitized before being reflected in the web response. An authenticated attacker can craft malicious input that, when viewed by another user, executes arbitrary JavaScript in their browser. The vulnerability requires user interaction (clicking a malicious link) and affects only the integrity of data, not confidentiality or availability. Public exploit details are available, though the CVSS 3.5 score reflects the relatively constrained attack scenario requiring authentication and browser-based execution.
- CVE-2026-10234LOW 3.5
Mettle sendportal versions up to 3.0.1 contain a cross-site scripting (XSS) vulnerability in the Campaign Handler component. An authenticated attacker can inject malicious scripts through the content parameter in the /webview/ endpoint, potentially allowing them to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability requires user interaction to be effective and does not grant direct administrative access. Exploit code is publicly available, elevating practical risk despite the low CVSS score.
- CVE-2026-10244LOW 3.5
SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in the medicine name creation function. An authenticated user can inject malicious script code through the medicine_name parameter, which executes in the context of other users' browsers. The vulnerability requires user interaction (clicking a link or visiting a page) to trigger, and an attacker must have valid login credentials to exploit it. Public exploits are now available.
- CVE-2026-10245LOW 3.5
SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in its supplier creation functionality. An authenticated user can inject malicious code through the company name field when creating a supplier record. This code executes in the browsers of other users who view the supplier information, potentially allowing attackers to steal session tokens, redirect users to malicious sites, or perform unauthorized actions on their behalf. Public exploits for this vulnerability are already available.
- CVE-2026-10246LOW 3.5
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated user can inject malicious scripts through the medicine presentation creation function, which are then executed in the browsers of other users who view that data. The attack requires user interaction and does not grant elevated privileges, but can be used to steal session tokens, redirect users, or perform actions on their behalf within the application.
- CVE-2026-10247LOW 3.5
A cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated attacker can inject malicious scripts through the generic_name parameter in the create_generic_name function, which the application will then execute in users' browsers. This could allow the attacker to steal session cookies, hijack user accounts, or manipulate pharmacy data. The vulnerability requires user interaction to trigger and an authenticated account to exploit, limiting its immediate impact, but public exploit code is now available.
- CVE-2026-10567LOW 3.5
A stored cross-site scripting (XSS) vulnerability exists in 1Panel-dev CordysCRM versions up to 1.4.1. An authenticated attacker can inject malicious JavaScript into the Description field of the ModuleFormController, which will execute in the browsers of other users who view the affected module form. The vulnerability requires user interaction (viewing the crafted form) to trigger, and does not grant the attacker direct access to sensitive data or system functions. Upgrading to version 1.7.0 resolves the issue.
- CVE-2026-11520LOW 3.5
SourceCodester Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in the header.php file that allows authenticated users to inject malicious scripts through multiple parameters. An attacker with valid credentials can craft a specially crafted request to inject JavaScript that executes in the browsers of other users, potentially stealing session data or performing unauthorized actions on their behalf. Public exploit code is available, increasing the practical risk despite the low CVSS score.
- CVE-2026-11534LOW 3.5
A cross-site scripting (XSS) vulnerability exists in imvks786's student_management_system application. The flaw allows attackers to inject malicious scripts through the name, address, or fname parameters in the /add.php file. An attacker with authenticated access can craft a malicious request that, when clicked by another user, executes arbitrary JavaScript in that user's browser. The vulnerability is publicly known, and the development team has been notified but has not yet responded with a patch.
- CVE-2026-8981LOW 3.5
The Custom Block Builder WordPress plugin before version 4.3.0 fails to properly validate user permissions when handling block template code in certain scenarios. This allows site administrators—particularly on WordPress multisite networks or single-site installations with `DISALLOW_UNFILTERED_HTML` enabled—to inject malicious JavaScript into block templates. When visitors load pages containing these blocks, the injected code executes in their browsers, potentially compromising user sessions or stealing sensitive information.
- CVE-2026-49381LOW 3.4
CVE-2026-49381 is a stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity's SAML login page that existed prior to version 2026.1. An attacker with high privileges could inject malicious scripts into the login interface, which would then execute in the browsers of users who interact with that page. The vulnerability requires user interaction to trigger and has limited scope, affecting only the confidentiality of information visible to the victim during their session.
- CVE-2026-10112LOW 2.4
CVE-2026-10112 is a stored or reflected cross-site scripting (XSS) vulnerability in the Dashboard Page component of STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker with high privileges can inject malicious scripts through the Name parameter, which are then executed in the browsers of users who view the affected page. The vulnerability requires user interaction and has a low CVSS score of 2.4, but exploitation has already been disclosed publicly.
- CVE-2026-10514LOW 2.4
A cross-site scripting (XSS) vulnerability exists in CordysCRM versions up to 1.6.2. The flaw is located in a request parameter handling component and allows attackers with administrative privileges to inject malicious scripts that execute in users' browsers. While public exploit code is available, the attack requires both high-level credentials and user interaction (such as clicking a malicious link), significantly limiting real-world risk. Upgrading to version 1.7.0 resolves the issue.
- CVE-2026-10529LOW 2.4
A cross-site scripting (XSS) vulnerability has been discovered in westboy CicadasCMS affecting the Task Scheduling Management Module. The flaw exists in the ScheduleJobController component and can be triggered by an authenticated user with elevated privileges through a specially crafted request. While the vulnerability requires administrative or high-privilege access to exploit, the presence of user interaction (rendering) combined with public availability of exploit details elevates attention. The CMS uses a rolling release model, making definitive version tracking difficult, though the affected commit hash has been identified.
- CVE-2026-11338LOW 2.4
A reflected cross-site scripting (XSS) vulnerability exists in SourceCodester Ship Ferry Ticket Reservation System version 1.0. An authenticated administrative user with high privileges can inject malicious JavaScript into the Username parameter on the user management page, which executes in the browsers of other users who view the manipulated content. The vulnerability requires user interaction and administrative access to trigger, limiting its immediate exposure but potentially enabling unauthorized account manipulation or credential theft within administrative workflows.
- CVE-2026-11434LOW 2.4
FluentCMS version 0.0.5 contains a cross-site scripting (XSS) vulnerability in its Blocks Plugin, specifically within the /admin/blocks file. An authenticated administrator with high privileges can inject malicious scripts that execute in the browsers of other users viewing the affected page. The vulnerability requires user interaction (such as clicking a link) to trigger. Public exploit code is available, though the low CVSS score reflects the requirement for high-privilege authentication and user interaction to succeed.
- CVE-2026-11468LOW 2.4
A cross-site scripting (XSS) vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. An authenticated administrator with high privileges can inject malicious scripts through the room_types page by manipulating the room parameter. When another user visits the affected page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability requires both administrative access to initiate the attack and user interaction (clicking a link or visiting a crafted URL) for the payload to execute. While the CVSS score is low, the healthcare context and potential for patient data exposure warrant careful attention.
- CVE-2026-11491LOW 2.4
CodeAstro Human Resource Management System version 1.0 contains a stored cross-site scripting (XSS) vulnerability in its Notice Board Management feature. An attacker with high privileges can inject malicious JavaScript into the Notice Title field, which is then executed in the browsers of other users viewing that notice. The vulnerability requires user interaction (a victim must view the affected notice) and has already been disclosed publicly with exploit code available.