Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-1896

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-20 Jun, 2022 | 10:26
Updated At-03 Aug, 2024 | 00:17
Rejected At-
Credits

underConstruction < 1.21 - Admin+ Stored Cross-Site Scripting

The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:20 Jun, 2022 | 10:26
Updated At:03 Aug, 2024 | 00:17
Rejected At:
▼CVE Numbering Authority (CNA)
underConstruction < 1.21 - Admin+ Stored Cross-Site Scripting

The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.

Affected Products
Vendor
Unknown
Product
underConstruction
Versions
Affected
  • From 1.21 before 1.21 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Asif Nawaz Minhas
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/3e8bd875-2435-4a15-8ee8-8a00882b499c
x_refsource_MISC
Hyperlink: https://wpscan.com/vulnerability/3e8bd875-2435-4a15-8ee8-8a00882b499c
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/3e8bd875-2435-4a15-8ee8-8a00882b499c
x_refsource_MISC
x_transferred
Hyperlink: https://wpscan.com/vulnerability/3e8bd875-2435-4a15-8ee8-8a00882b499c
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:20 Jun, 2022 | 11:15
Updated At:28 Jun, 2022 | 17:02

The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
underconstruction_project
underconstruction_project
>>underconstruction>>Versions before 1.21(exclusive)
cpe:2.3:a:underconstruction_project:underconstruction:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarycontact@wpscan.com
CWE ID: CWE-79
Type: Primary
Source: contact@wpscan.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://wpscan.com/vulnerability/3e8bd875-2435-4a15-8ee8-8a00882b499ccontact@wpscan.com
Exploit
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/3e8bd875-2435-4a15-8ee8-8a00882b499c
Source: contact@wpscan.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

8713Records found
CVE-2025-3996
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.16% / 36.65%
||
7 Day CHG~0.00%
Published-28 Apr, 2025 | 02:00
Updated-28 May, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK N150RT MAC Filtering Page home.htm cross site scripting

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /home.htm of the component MAC Filtering Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-TOTOLINK
Product-n150rt_firmwaren150rtN150RT
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-13070
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 44.82%
||
7 Day CHG~0.00%
Published-09 Jul, 2019 | 18:05
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim.

Action-Not Available
Vendor-cyberpowersystemsn/a
Product-powerpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10851
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 52.80%
||
7 Day CHG~0.00%
Published-01 Aug, 2019 | 14:48
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 11.54.0.4 allows self XSS in the WHM PHP Configuration editor interface (SEC-84).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-50514
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.14% / 32.87%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 16:32
Updated-11 May, 2026 | 22:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ninja Forms – The Contact Form Builder That Grows With You plugin <= 3.8.16 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms allows Stored XSS.This issue affects Ninja Forms: from n/a through <= 3.8.16.

Action-Not Available
Vendor-Kevin StoverSaturday Drive, INC
Product-ninja_formsNinja Forms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28695
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.44%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 08:37
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress VigilanTor Plugin <= 1.3.10 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Drew Phillips VigilanTor plugin <= 1.3.10 versions.

Action-Not Available
Vendor-vigilantor_projectDrew Phillips
Product-vigilantorVigilanTor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10781
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 56.24%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 12:52
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-50355
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 24.51%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 15:41
Updated-20 Nov, 2024 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LibreNMS has a Persistent XSS from Insecure Input Sanitization Affects Multiple Endpoints

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. User with Admin role can edit the Display Name of a device, the application did not properly sanitize the user input in the device Display Name, if java script code is inside the name of the device Display Name, its can be trigger from different sources. This vulnerability is fixed in 24.10.0.

Action-Not Available
Vendor-LibreNMS
Product-librenmslibrenmslibrenms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0945
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9||CRITICAL
EPSS-0.35% / 57.58%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 03:50
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS viva axd and cshtml file upload in star7th/showdoc in star7th/showdoc

Stored XSS viva axd and cshtml file upload in star7th/showdoc in GitHub repository star7th/showdoc prior to v2.10.4.

Action-Not Available
Vendor-showdocstar7th
Product-showdocstar7th/showdoc
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10784
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 56.24%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 12:55
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 60.0.25 allows self XSS in the alias upload interface (SEC-184).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-51495
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.90% / 75.98%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 15:44
Updated-20 Nov, 2024 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/dev-overview-data.inc.php

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the Device Overview page allows authenticated users to inject arbitrary JavaScript through the "overwrite_ip" parameter when editing a device. This vulnerability results in the execution of malicious code when the device overview page is visited, potentially compromising the accounts of other users. This vulnerability is fixed in 24.10.0.

Action-Not Available
Vendor-LibreNMS
Product-librenmslibrenmslibrenms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-12950
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 42.63%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 16:16
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in TeamPass 2.1.27.35. From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload.

Action-Not Available
Vendor-teampassn/a
Product-teampassn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-12566
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.31% / 54.45%
||
7 Day CHG~0.00%
Published-02 Jun, 2019 | 23:34
Updated-04 Aug, 2024 | 23:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WP Statistics plugin through 12.6.5 for Wordpress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user.

Action-Not Available
Vendor-veronalabsn/a
Product-wp_statisticsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-50515
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.14% / 32.87%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 16:32
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ninja Forms – The Contact Form Builder That Grows With You plugin <= 3.8.16 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms allows Stored XSS.This issue affects Ninja Forms: from n/a through <= 3.8.16.

Action-Not Available
Vendor-Kevin StoverSaturday Drive, INC
Product-ninja_formsNinja Forms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10774
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.28%
||
7 Day CHG~0.00%
Published-05 Aug, 2019 | 12:57
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2802
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.10% / 26.09%
||
7 Day CHG~0.00%
Published-14 Aug, 2023 | 19:10
Updated-09 Oct, 2024 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Addons for Contact Form 7 < 3.1.29 - Admin+ Stored XSS

The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-themeficUnknown
Product-ultimate_addons_for_contact_form_7Ultimate Addons for Contact Form 7
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-50849
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.71% / 72.50%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 00:00
Updated-20 Oct, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored Cross-Site Scripting (XSS) vulnerability in the "Rules" functionality of WorldServer v11.8.2 allows a remote authenticated attacker to execute arbitrary JavaScript code.

Action-Not Available
Vendor-rwsn/a
Product-worldservern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-51223
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 14.59%
||
7 Day CHG~0.00%
Published-23 Mar, 2026 | 00:00
Updated-24 Mar, 2026 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Mobile Number parameter.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-vehicle_record_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0965
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9||CRITICAL
EPSS-0.38% / 59.79%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 15:35
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS viva .ofd file upload in star7th/showdoc

Stored XSS viva .ofd file upload in GitHub repository star7th/showdoc prior to 2.10.4.

Action-Not Available
Vendor-showdocstar7th
Product-showdocstar7th/showdoc
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0967
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.9||MEDIUM
EPSS-0.83% / 74.80%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 15:35
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in star7th/showdoc

Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.10.4.

Action-Not Available
Vendor-showdocstar7th
Product-showdocstar7th/showdoc
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27990
Matching Score-4
Assigner-Zyxel Corporation
ShareView Details
Matching Score-4
Assigner-Zyxel Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.37% / 58.89%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 00:00
Updated-25 Feb, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-usg_flex_50wvpn100usg_flex_100w_firmwareusg20-vpnatp700_firmwareatp100w_firmwareusg_20w-vpn_firmwareatp800vpn300_firmwarevpn50atp200vpn1000_firmwareusg_flex_500vpn50_firmwareusg_flex_50w_firmwareusg_flex_100_firmwareusg_flex_200_firmwareatp100watp800_firmwareusg_flex_50atp500_firmwareusg_flex_700_firmwareatp500atp100usg_flex_200atp700usg_flex_100usg_flex_100wvpn1000atp100_firmwarevpn100_firmwarevpn300usg_flex_500_firmwareusg_flex_700usg_20w-vpnusg_flex_50_firmwareatp200_firmwareusg20-vpn_firmwareATP series firmwareVPN series firmwareUSG FLEX series firmwareUSG FLEX 50(W) firmwareUSG20(W)-VPN firmware
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-49764
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.90% / 75.94%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 15:27
Updated-20 Nov, 2024 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/capture.inc.php

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Capture Debug Information" page allows authenticated users to inject arbitrary JavaScript through the "hostname" parameter when creating a new device. This vulnerability results in the execution of malicious code when the "Capture Debug Information" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0.

Action-Not Available
Vendor-LibreNMS
Product-librenmslibrenmslibrenms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1395
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-30 May, 2022 | 08:35
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy FAQ with Expanding Text <= 3.2.8.3.1 - Admin+ Stored Cross-Site Scripting

The Easy FAQ with Expanding Text WordPress plugin through 3.2.8.3.1 does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfiltered_html is disallowed

Action-Not Available
Vendor-easy_faq_with_expanding_text_projectUnknown
Product-easy_faq_with_expanding_textEasy FAQ with Expanding Text
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10783
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 56.24%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 12:54
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10776
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 56.24%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 12:47
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0966
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.82%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 15:35
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS via File Upload in star7th/showdoc in star7th/showdoc

Stored XSS via File Upload in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.4.10.

Action-Not Available
Vendor-showdocstar7th
Product-showdocstar7th/showdoc
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10778
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 56.24%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 12:48
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 60.0.25 allows self stored XSS in the listftpstable API (SEC-178).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0937
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.18% / 39.38%
||
7 Day CHG~0.00%
Published-14 Mar, 2022 | 02:35
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored xss in showdoc through file upload in star7th/showdoc

Stored xss in showdoc through file upload in GitHub repository star7th/showdoc prior to 2.10.4.

Action-Not Available
Vendor-showdocstar7th
Product-showdocstar7th/showdoc
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1938
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.72% / 72.77%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 12:56
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Awin Data Feed < 1.8 - Unauthenticated Stored Cross-Site Scripting

The Awin Data Feed WordPress plugin before 1.8 does not sanitise and escape a header when processing request to generate analytics data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against a logged in admin viewing the plugin's settings

Action-Not Available
Vendor-awinUnknown
Product-awin_data_feedAwin Data Feed
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-49392
Matching Score-4
Assigner-Acronis International GmbH
ShareView Details
Matching Score-4
Assigner-Acronis International GmbH
CVSS Score-5.7||MEDIUM
EPSS-0.32% / 55.17%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 09:48
Updated-18 Oct, 2024 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability on enrollment invitation page. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24.

Action-Not Available
Vendor-Acronis (Acronis International GmbH)
Product-cyber_filesAcronis Cyber Filescyber_files
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10813
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.50%
||
7 Day CHG~0.00%
Published-01 Aug, 2019 | 18:54
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 57.9999.54 allows self XSS during ftp account creation under addon domains (SEC-118).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28106
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 21.38%
||
7 Day CHG~0.00%
Published-16 Mar, 2023 | 16:31
Updated-25 Feb, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pimcore vulnerable to Cross-site Scripting in UrlSlug Data type

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0906
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 46.41%
||
7 Day CHG~0.00%
Published-10 Mar, 2022 | 14:55
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unrestricted file upload leads to stored XSS in microweber/microweber

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.

Action-Not Available
Vendor-Microweber (‘Microweber Academy’ Foundation)
Product-microwebermicroweber/microweber
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4970
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.32% / 55.42%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 06:00
Updated-18 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Widget Bundle <= 2.0.0 - Admin+ Stored XSS

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-devnath_vermaUnknown
Product-widget_bundleWidget Bundle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28636
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.5||MEDIUM
EPSS-1.00% / 77.19%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 17:21
Updated-10 Feb, 2025 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GLPI vulnerable to stored Cross-site Scripting in external links

GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

Action-Not Available
Vendor-GLPI Project
Product-glpiglpi
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28651
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-4.8||MEDIUM
EPSS-16.25% / 94.91%
||
7 Day CHG~0.00%
Published-01 Jun, 2023 | 00:00
Updated-09 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege.

Action-Not Available
Vendor-contecContec Co., Ltd.
Product-conprosys_hmi_systemCONPROSYS HMI System (CHS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1646
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-30 May, 2022 | 08:36
Updated-03 Aug, 2024 | 00:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Real Estate Pack <= 1.4.8 - Admin+ Stored Cross Site Scripting

The Simple Real Estate Pack WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-simple_real_estate_pack_projectUnknown
Product-simple_real_estate_packSimple Real Estate Pack
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-49696
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.16% / 36.15%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 12:29
Updated-11 May, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.21 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robosoft Robo Gallery robo-gallery allows Stored XSS.This issue affects Robo Gallery: from n/a through <= 3.2.21.

Action-Not Available
Vendor-robosoftrobosoft
Product-robo_galleryRobo Gallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-36580
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 40.28%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 17:39
Updated-11 Jul, 2025 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection

Action-Not Available
Vendor-Dell Inc.
Product-wyse_management_suiteWyse Management Suite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28790
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 31.54%
||
7 Day CHG~0.00%
Published-27 Sep, 2023 | 05:14
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Staff List Plugin <= 2.2.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Brett Shumaker Simple Staff List plugin <= 2.2.3 versions.

Action-Not Available
Vendor-simple_staff_list_projectBrett Shumaker
Product-simple_staff_listSimple Staff List
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-48870
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.2||MEDIUM
EPSS-0.38% / 59.81%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 06:18
Updated-05 Nov, 2024 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sharp and Toshiba Tec MFPs improperly validate input data in URI data registration, resulting in a stored cross-site scripting vulnerability. If crafted input is stored by an administrative user, malicious script may be executed on the web browsers of other victim users.

Action-Not Available
Vendor-toshibatecsharpToshiba Tec CorporationSharp Corporation
Product-mx-m6050bp-c542wd_firmwaremx-5110n_firmwaremx-c381_firmwaremx-m6070_abp-b547wdmx-m365n_a_firmwaremx-3570n_firmwaremx-m6071_firmwarebp-60c36_firmwarebp-70m31bp-90c80bp-c533wd_firmwaremx-c400p_firmwaremx-3101nmx-4070n_a_firmwaremx-3070v_amx-m3571_firmwaremx-m3571mx-2651_firmwaremx-m464n_firmwaremx-m2651mx-5070v_firmwaremx-3111umx-b355wz_firmwaremx-4140nmx-4060v_firmwarebp-b550wdmx-5140n_firmwaremx-m5051mx-3050v_amx-b376w_firmwaremx-2600gmx-c303wh_firmwarebp-70c55_firmwaremx-2601nmx-m564n_amx-b376whmx-4071s_firmwaremx-3550v_firmwaremx-m3071_firmwaremx-b456whmx-m356uvmx-c311mx-m904bp-50c26mx-m753u_firmwaremx-m264ue-studio1058_firmwaremx-2640nrmx-m315nmx-b400pmx-2314nrbp-30c25z_firmwaremx-3550n_firmwaredx-c401_j_firmwaremx-m315u_firmwaremx-c303mx-2610nmx-m316nvmx-m314nmx-m4070_amx-b476wh_firmwaremx-m6070_firmwarebp-30m28t_firmwaremx-m4070mx-m453u_firmwaremx-m1206_firmwaremx-m265nv_firmwaremx-m3070_firmwaremx-3100gmx-m265ne_firmwaremx-c401_firmwaremx-m315uv_firmwaremx-3070v_firmwaremx-b355wt_firmwaremx-m1055bp-c535wrmx-m623umx-2610n_firmwaremx-m264u_firmwaremx-m314nr_firmwaremx-7040nmx-3571smx-m4071s_firmwaremx-m3551bp-70c55mx-m354n_firmwaremx-c312_firmwaremx-4111n_firmwaree-studio908_firmwaremx-c380mx-m265uvmx-c402sc_firmwarebp-90c80_firmwaredx-c400mx-b356whmx-m315ne_firmwaremx-1810umx-6050v_firmwaremx-4070v_firmwaremx-m754nmx-2615n_firmwarebp-70m75_firmwaremx-2615nmx-4071smx-5000nmx-c303w_firmwaredx-c400_firmwaremx-6580nmx-c304wh_firmwaremx-m365n_abp-50c65_firmwaremx-m7570mx-3060nmx-3610nrmx-b376wmx-7081_firmwarebp-70m36_firmwarebp-50c55_firmwaremx-3110nmx-m1205mx-b402pmx-m4050_firmwaremx-c382scmx-c310_firmwaremx-m503nmx-3115nmx-m565nmx-3070v_a_firmwaredx-2000u_firmwaremx-m1056mx-m3551_firmwaremx-m3051_firmwaremx-m264nr_firmwaremx-m453nmx-c303whmx-2630nmx-m6071mx-c380p_firmwaremx-3050n_abp-70c65bp-30c25tbp-60c31_firmwarebp-70c36_firmwaremx-4051mx-m364nmx-3061mx-5112nmx-b402scmx-7500n_firmwaremx-m356uv_firmwaremx-3101n_firmwaremx-b382p_firmwaremx-m3550_firmwaremx-4110n_firmwaremx-b382scmx-3116n_firmwaremx-m654nbp-b537wr_firmwaremx-m354ubp-50c36mx-2601n_firmwaremx-b382_firmwaremx-3640n_firmwaremx-m6070mx-5000n_firmwaremx-m3571s_firmwaremx-3070n_amx-3640nr_firmwaremx-m3071smx-m363n_firmwaremx-8090nmx-m315uvbp-30m31_firmwaremx-2640n_firmwaremx-3551_firmwaremx-b476w_firmwaremx-m314n_firmwaremx-6071_firmwaremx-m753umx-3110n_a_firmwaremx-b355wzmx-m503umx-m6051_firmwaremx-c301wmx-c381mx-5071mx-m2651_firmwaremx-5110ne-studio1208_firmwaremx-m265v_firmwaremx-m264nmx-m363nmx-c304whmx-2600n_firmwaremx-m365n_firmwaremx-m6070_a_firmwaremx-6050vdx-c381mx-m5050_firmwaremx-3110n_firmwaremx-2614nmx-b402_firmwaremx-b382pmx-m905mx-3610nr_firmwaremx-m3570_firmwarebp-50c31mx-3561mx-m1205_firmwaremx-2600nmx-4070n_amx-c382scb_firmwarebp-b537wrbp-70c31_firmwaremx-m465n_firmwaremx-5051_firmwaremx-b455wmx-c304wmx-5071s_firmwarebp-50m26mx-4141nbp-50m26_firmwaremx-3110n_abp-50m45mx-3570v_firmwaremx-m4070_a_firmwaremx-m265n_firmwaremx-m4071smx-2615_amx-m564nmx-b382bp-c542wdmx-m265umx-c303wmx-m364n_firmwaremx-m316nv_firmwarebp-70m45bp-70m75bp-c535wdmx-6070v_a_firmwaredx-c311_firmwarebp-30m35_firmwaremx-b476whmx-m503u_firmwaremx-m754n_ae-studio1058mx-3071s_firmwaremx-2310u_firmwaremx-m354nrmx-m3550mx-4061smx-4050n_firmwaremx-4060nmx-3561s_firmwarebp-60c31mx-7090n_firmwaremx-m314umx-c380_firmwaredx-c311j_firmwaremx-4071mx-7081mx-m565n_firmwaremx-m356u_firmwaremx-3140nmx-3561_firmwaremx-m453umx-b476wmx-b381dx-c311jmx-3560vmx-m363u_firmwaremx-b455wz_firmwaremx-2616nmx-4101nmx-m5071_firmwaremx-6070n_a_firmwaremx-4071_firmwaremx-2616n_firmwarebp-30c25_firmwaremx-m356nv_firmwaremx-m5050bp-70m65_firmwaremx-m265nvmx-m314nv_firmwaremx-m266nvdx-c310_firmwaremx-5111nmx-b400p_firmwarebp-30m35mx-8081_firmwaremx-3071_firmwarebp-30m31t_firmwaremx-6580n_firmwaremx-2640nr_firmwarebp-b540wrmx-m283nmx-m5070_firmwarebp-30m28tmx-8090n_firmwarebp-c545wdmx-m264nrmx-m316nbp-c533wdmx-1810u_firmwaremx-m3071s_firmwaremx-4050v_firmwarebp-30m31mx-b355wtmx-3114nmx-2314nmx-5071_firmwaremx-b402sc_firmwaremx-m465nmx-3111u_firmwaremx-c303_firmwaremx-m365nmx-4100n_firmwaremx-7500nmx-4101n_firmwarebp-70m90_firmwarebp-90c70mx-3050nbp-60c36mx-b455wt_firmwaremx-4060n_firmwaremx-3070vmx-3050v_a_firmwarebp-50c26_firmwaremx-3570vmx-c304w_firmwaremx-m754n_firmwaremx-m465n_amx-m3050mx-6050n_firmwaremx-3610n_firmwaremx-4110nmx-5070n_firmwaremx-4140n_amx-m5070dx-c401_jmx-m356ubp-50c45_firmwaremx-4061_firmwaremx-4112n_firmwaremx-c382scbmx-3061smx-m315umx-3070n_firmwaremx-m356nvmx-3571s_firmwaremx-3560v_firmwaremx-3061_firmwaremx-m266nv_firmwarebp-30c25mx-b402mx-b455w_firmwaredx-c311mx-3571mx-7580n_firmwaremx-m314u_firmwaremx-m315nvmx-m265vmx-3100nmx-m1206mx-7090nmx-c301w_firmwaremx-3114n_firmwaremx-2600g_firmwarebp-30c25ymx-5141nmx-m4051dx-2500nmx-c301bp-50c55mx-c381bmx-2614n_firmwaremx-4070n_firmwaremx-m3570mx-m654n_firmwarebp-55c26_firmwaremx-5050n_firmwaremx-5070vmx-3140n_a_firmwaremx-m5051_firmwaremx-6071s_firmwaremx-5051mx-c400_firmwaremx-4061s_firmwaremx-3051mx-b456wh_firmwaremx-5141n_firmwaremx-b456we-studio1208mx-m3070mx-m4071_firmwaremx-3060v_firmwaremx-6071mx-4111nmx-m464nbp-30m35t_firmwaremx-m4051_firmwaremx-m6071s_firmwaremx-3140nrmx-m5071mx-2615_a_firmwaremx-4050nbp-70c31mx-m3050_firmwaremx-m4070_firmwaremx-3061s_firmwaremx-m314nrmx-3640nrmx-3070nmx-m356nmx-c301_firmwarebp-b540wr_firmwaremx-m1204mx-4070v_amx-m266n_firmwarebp-70m65mx-c380pmx-c304mx-6500ndx-c401_firmwaremx-b356wh_firmwaremx-3115n_firmwaremx-3551mx-3050v_firmwaremx-2301nbp-70c36mx-3050n_firmwaremx-m6050_firmwaremx-m905_firmwaremx-3100n_firmwaremx-6240n_firmwaremx-b401_firmwaremx-m4071bp-c535wd_firmwaremx-c400pbp-50c45mx-m7570_firmwarebp-30m31tmx-m3571smx-4100nmx-8081mx-2630n_firmwaremx-b355w_firmwarebp-70m31_firmwaremx-4112nbp-50m31mx-m453n_firmwaremx-2301n_firmwaremx-3140n_firmwaremx-m654n_a_firmwaremx-m266nmx-6070n_firmwarebp-30c25y_firmwaremx-3570nbp-70m55bp-30m28_firmwaremx-m264nvmx-5050vmx-m654n_amx-4140n_firmwaremx-5071sbp-c533wrmx-b455wtmx-m3050_a_firmwaremx-3060vmx-5001nmx-c312mx-m265uv_firmwaremx-3140nr_firmwaremx-m753n_firmwaremx-m3071mx-4060vbp-55c26mx-3071smx-3560n_firmwaremx-b455wzmx-2310rmx-m465n_a_firmwarebp-c535wr_firmwaremx-m315vmx-m316n_firmwarebp-50c31_firmwaremx-5070nmx-m1056_firmwaremx-c304_firmwarebp-c545wd_firmwaremx-2310umx-m264nv_firmwarebp-50m36_firmwaredx-c401bp-70m90mx-3610nmx-7580nbp-b550wd_firmwaremx-4061dx-c310bp-50m45_firmwarebp-50m55_firmwaremx-6070v_amx-m363umx-b401mx-3140n_abp-30c25t_firmwaremx-2314nr_firmwaremx-2310r_firmwaremx-3560nbp-50m31_firmwaremx-b376wh_firmwarebp-70m45_firmwaremx-m354nmx-6050nmx-6500n_firmwaremx-4050vmx-m2630_a_firmwaremx-3050vmx-m315nv_firmwaremx-m753nbp-90c70_firmwaremx-c311_firmwaremx-5111n_firmwaremx-3571_firmwaremx-m1054_firmwaremx-c310mx-4070vmx-m754n_a_firmwaremx-m356n_firmwaremx-m265u_firmwaremx-m265nemx-m623u_firmwaremx-m2630_ae-studio908mx-2640nbp-30c25zmx-6240nmx-c401mx-m623n_firmwaremx-m3070_a_firmwaremx-m264n_firmwaremx-2010umx-3051_firmwaremx-6051mx-6070n_amx-b380p_firmwaremx-m3051mx-m5071s_firmwaremx-m4050mx-m2630_firmwarebp-b547wd_firmwaremx-m3070_amx-3071mx-m6051mx-m265nbp-50m55mx-m1055_firmwaremx-m354u_firmwarebp-70c65_firmwarebp-60c45mx-m1054mx-c382sc_firmwaremx-4140n_a_firmwaremx-6051_firmwarebp-50c36_firmwaremx-b456w_firmwaremx-5141n_abp-70c45bp-30m28mx-6071smx-4051_firmwaremx-m564n_firmwaremx-m315nemx-4141n_firmwaremx-4070v_a_firmwaremx-3100g_firmwaredx-2500n_firmwaredx-2000umx-b380pbp-50c65bp-50m50_firmwaremx-b356wmx-m503n_firmwaremx-b355wmx-5001n_firmwaremx-m314nvmx-m1204_firmwaremx-2314n_firmwaremx-5050nbp-70m55_firmwaremx-b381_firmwaremx-3550nmx-3070n_a_firmwaremx-3640nmx-2651mx-m2630mx-2010u_firmwarebp-70c45_firmwaremx-6070v_firmwaremx-4070nbp-30m35tmx-c400mx-5112n_firmwaremx-7040n_firmwarebp-60c45_firmwaremx-3550vmx-m3050_amx-5140nmx-b382sc_firmwaremx-c381b_firmwaremx-m6570_firmwaremx-b402p_firmwaremx-m283n_firmwaremx-b356w_firmwarebp-c533wr_firmwaredx-c381_firmwarebp-70m36mx-5141n_a_firmwaremx-5050v_firmwaremx-m564n_a_firmwaremx-6070vmx-m6570mx-c402scmx-3050n_a_firmwaremx-m315n_firmwaremx-m354nr_firmwaremx-3060n_firmwaremx-m5071sbp-50m50mx-m623nmx-m6071smx-6070nmx-m904_firmwarebp-50m36mx-3561smx-m315v_firmwaremx-3116ne-STUDIO 1208e-STUDIO 908e-STUDIO 1058Sharp Digital Full-color MFPs and Monochrome MFPs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10779
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 52.04%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 12:50
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SEC-179).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-36139
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.02% / 5.78%
||
7 Day CHG~0.00%
Published-18 Sep, 2025 | 15:13
Updated-25 Sep, 2025 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM watsonx.data cross-site scripting

IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.datawatsonx.data
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4755
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4||MEDIUM
EPSS-0.08% / 24.52%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 06:00
Updated-01 Aug, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Google CSE <= 1.0.7 - Admin+ Stored XSS

The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-erikengUnknownerikeng
Product-google_cseGoogle CSEgoogle_cse
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-37185
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 18.98%
||
7 Day CHG~0.00%
Published-14 Jan, 2026 | 16:20
Updated-20 Jan, 2026 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host.

Action-Not Available
Vendor-Aruba NetworksHewlett Packard Enterprise (HPE)
Product-edgeconnect_sd-wan_orchestratorEdgeConnect SD-WAN Orchestrator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1817
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.25% / 48.49%
||
7 Day CHG~0.00%
Published-23 May, 2022 | 11:30
Updated-15 Apr, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Badminton Center Management System Userlist Module cross site scripting

A vulnerability, which was classified as problematic, was found in Badminton Center Management System. This affects the userlist module at /bcms/admin/?page=user/list. The manipulation of the argument username with the input </td><img src="" onerror="alert(1)"><td>1 leads to an authenticated cross site scripting. Exploit details have been disclosed to the public.

Action-Not Available
Vendor-badminton_center_management_system_projectunspecified
Product-badminton_center_management_systemBadminton Center Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28751
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.44%
||
7 Day CHG~0.00%
Published-23 Jun, 2023 | 12:26
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Wp Ultimate Review Plugin <= 2.0.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.0.3 versions.

Action-Not Available
Vendor-wpmetWpmet
Product-wp_ultimate_reviewWp Ultimate Review
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10777
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.73%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 12:49
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-1273
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.62% / 70.18%
||
7 Day CHG~0.00%
Published-11 Sep, 2019 | 21:25
Updated-04 Aug, 2024 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize certain error messages, aka 'Active Directory Federation Services XSS Vulnerability'.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2016windows_server_2019windows_10WindowsWindows ServerWindows 10 Version 1903 for x64-based SystemsWindows 10 Version 1903 for ARM64-based SystemsWindows 10 Version 1903 for 32-bit SystemsWindows Server, version 1903 (Server Core installation)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26515
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.44%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 10:41
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Slug Translate Plugin <= 2.7.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ko Takagi Simple Slug Translate plugin <= 2.7.2 versions.

Action-Not Available
Vendor-simple_slug_translate_projectKo Takagi
Product-simple_slug_translateSimple Slug Translate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-48239
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.11% / 29.44%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 00:00
Updated-17 Apr, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in WTCMS 1.0. In the plupload method in \AssetController.class.php, the app parameters aren't processed, resulting in Cross Site Scripting (XSS).

Action-Not Available
Vendor-wtcms_projectn/awtcms_project
Product-wtcmsn/awtcms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 174
  • 175
  • Next
Details not found