Total
41413 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-58025 | 2 Averta, Wordpress | 2 Master Slider, Wordpress | 2026-01-23 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider allows Stored XSS. This issue affects Master Slider: from n/a through 3.11.0. | ||||
| CVE-2025-58234 | 2 Joomsky, Wordpress | 2 Js Job Manager, Wordpress | 2026-01-23 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JoomSky JS Job Manager allows Stored XSS. This issue affects JS Job Manager: from n/a through 2.0.2. | ||||
| CVE-2021-47817 | 1 Openemr | 1 Openemr | 2026-01-22 | 5.4 Medium |
| OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance. | ||||
| CVE-2021-47857 | 1 Moodle | 1 Moodle | 2026-01-22 | 7.2 High |
| Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event. | ||||
| CVE-2021-47858 | 1 Genexis | 1 Platinum-4410 | 2026-01-22 | 7.2 High |
| Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. Attackers can inject malicious scripts through the start source address field that will persist and trigger for privileged users when they access the security management page. | ||||
| CVE-2025-64217 | 2 Themegoods, Wordpress | 2 Photography, Wordpress | 2026-01-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Photography photography allows Reflected XSS.This issue affects Photography: from n/a through <= 7.7.2. | ||||
| CVE-2025-66939 | 1 Altumcode | 1 66biolinks | 2026-01-22 | 5.4 Medium |
| Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file | ||||
| CVE-2026-23887 | 1 Intermesh | 1 Group-office | 2026-01-22 | N/A |
| Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80. | ||||
| CVE-2025-67922 | 2 Themegoods, Wordpress | 2 Grand Restaurant, Wordpress | 2026-01-22 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9. | ||||
| CVE-2025-47777 | 1 5ire | 1 5ire | 2026-01-22 | 9.7 Critical |
| 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue. | ||||
| CVE-2026-24361 | 2026-01-22 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress – Course Review: from n/a through <= 4.1.9. | ||||
| CVE-2021-47750 | 1 Youphptube | 1 Youphptube | 2026-01-22 | 6.1 Medium |
| YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page. | ||||
| CVE-2025-58357 | 2 5ire, 5ire Project | 2 5ire, 5ire | 2026-01-22 | 9.7 Critical |
| 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Version 0.13.2 contains a vulnerability in the chat page's script gadgets that enables content injection attacks through multiple vectors: malicious prompt injection pages, compromised MCP servers, and exploited tool integrations. This is fixed in version 0.14.0. | ||||
| CVE-2025-52735 | 2 Wordpress, Xlplugins | 2 Wordpress, Nextmove | 2026-01-22 | 7.3 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through <= 2.21.0. | ||||
| CVE-2025-62969 | 2 Wordpress, Xlplugins | 2 Wordpress, Nextmove | 2026-01-22 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Stored XSS.This issue affects NextMove Lite: from n/a through <= 2.21.0. | ||||
| CVE-2024-32702 | 1 Reputeinfosystems | 1 Arforms | 2026-01-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Repute info systems ARForms allows Reflected XSS.This issue affects ARForms: from n/a through 6.4. | ||||
| CVE-2025-27379 | 1 Altium | 1 Aes | 2026-01-22 | 6.8 Medium |
| A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. | ||||
| CVE-2025-10180 | 1 Wordpress | 1 Wordpress | 2026-01-22 | 6.4 Medium |
| The Markdown Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'markdown' shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-27380 | 1 Altium | 1 Aes | 2026-01-22 | 7.6 High |
| HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content. | ||||
| CVE-2025-5591 | 1 Kentico | 1 Xperience | 2026-01-22 | 5.4 Medium |
| Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. | ||||