Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-1696

Summary
Assigner-arcinfo
Assigner Org ID-87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932
Published At-26 Feb, 2026 | 07:57
Updated At-26 Mar, 2026 | 08:23
Rejected At-
Credits

Missing security HTTP headers

Some HTTP security headers are not properly set by the web server when sending responses to the client application.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:arcinfo
Assigner Org ID:87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932
Published At:26 Feb, 2026 | 07:57
Updated At:26 Mar, 2026 | 08:23
Rejected At:
▼CVE Numbering Authority (CNA)
Missing security HTTP headers

Some HTTP security headers are not properly set by the web server when sending responses to the client application.

Affected Products
Vendor
arcinfo
Product
PcVue
Modules
  • WebVue
  • WebScheduler
  • TouchVue
  • SnapVue
  • Web services
Default Status
unaffected
Versions
Affected
  • From 16.0.0 through 16.3.3 (cpe)
  • From 15.0.0 through 15.2.13 (cpe)
  • 12.0.0 (cpe)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.02.3LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:M/U:Clear
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:M/U:Clear
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Harden the configuration Who should apply this recommendation: All users To reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures: * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. Uninstall the Web Server Who should apply this recommendation: All users not using the affected component If your system does not require the use of the Web & Mobile features, you should make sure not to install them. If your system requires the use of the Web & Mobile features, they should be installed only on the Web Server. See the product help related to the installation for more information. Update IIS configuration – manually update HTTP headers Who should apply this recommendation: All users running affected components. As a quick mitigation for the unnecessary and missing HTTP headers, you can disable default headers and add secure HTTP headers for all requests. Those options can be set via the web.config file located on the IIS by following those steps: * Open the file C:\inetpub\<SV Website>\web.config * Add the following entries to the section customHeaders, which are the recommendations from the official OWASP site: <remove name="X-Powered-By" /> <add name="X-Frame-Options" value="DENY" /> <add name="X-XSS-Protection" value="0" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="X-DNS-Prefetch-Control" value="off" /> <add name="Cross-Origin-Opener-Policy" value="same-origin" /> <add name="Cross-Origin-Embedder-Policy" value="require-corp" /> <add name="Cross-Origin-Resource-Policy" value="same-site" /> <add name="Referrer-Policy" value="strict-origin-when-cross-origin" /> <add name="Strict-Transport-Security" value="max-age=63072000; includeSubDomains; preload" /> <add name="Permissions-Policy" value="geolocation=(), camera=(), microphone=()" /> Update the Web Deployment Console (WDC) and re deploy the Web Server Who should apply this recommendation: All users running affected components. Install a patched release of the Web Deployment Console (WDC) on the IIS Web server and use it to re-deploy the Web Site. Some settings might need to be updated if third-party web apps or services depend on the OAuth ROPC flow. In a patched release of the WDC, new settings are available for each authorized Client to enable or disable: * The Authorization Code flow * The Authorization Code flow with PKCE * The Resource Owner Password Credentials (ROPC) flow By default, all the OAuth flows are now disabled for third-party web apps and need to be manually enabled before deployment if required. To verify that the patch is applied correctly, you must check that: * The File version property of the file ./bin/Modules/WebDeployment/WebDeploymentConsole.exe matches the deployed release or later, and ensure that any earlier release is no longer used; * Web Sites have been redeployed; * OAuth flow are correctly set for each authorized Client. Available patches: Patch provided in: * PcVue 16.3.4 (16.3.4902.3112) * PcVue 15.2.14 (15.2.14900.37147)

Configurations

Workarounds

Exploits

No POC available.

Not known to be exploited

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.pcvue.com/security/#SB2026-2
vendor-advisory
Hyperlink: https://www.pcvue.com/security/#SB2026-2
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932
Published At:26 Feb, 2026 | 08:16
Updated At:12 Mar, 2026 | 14:26

Some HTTP security headers are not properly set by the web server when sending responses to the client application.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.3LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches

PcVue (ARC Informatique)
arcinformatique
>>pcvue>>Versions from 12.0.0(inclusive) to 15.2.13(inclusive)
cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*
PcVue (ARC Informatique)
arcinformatique
>>pcvue>>Versions from 16.0.0(inclusive) to 16.3.4(exclusive)
cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondary87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932
CWE ID: CWE-79
Type: Secondary
Source: 87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.pcvue.com/security/#SB2026-287c8e6ad-f0f5-4ca8-89e2-89f26d6ed932
Vendor Advisory
Hyperlink: https://www.pcvue.com/security/#SB2026-2
Source: 87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

10535Records found

CVE-2026-1695
Matching Score-10
Assigner-ARC Informatique
ShareView Details
Matching Score-10
Assigner-ARC Informatique
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 10.80%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 07:57
Updated-26 Mar, 2026 | 08:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS vulnerability upon unsuccessful authentication

An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to trick a legitimate user into loading content from another site upon unsuccessful user authentication on an unknown application (unknown client_id). This vulnerability only affects the error page of the OAuth server.

Action-Not Available
Vendor-arcinfoPcVue (ARC Informatique)
Product-pcvuePcVue
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-1692
Matching Score-8
Assigner-ARC Informatique
ShareView Details
Matching Score-8
Assigner-ARC Informatique
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 1.60%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 07:55
Updated-26 Mar, 2026 | 08:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing origin validation in GraphicalData web service requests

A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website. This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.

Action-Not Available
Vendor-arcinfoPcVue (ARC Informatique)
Product-pcvuePcVue
CWE ID-CWE-1385
Missing Origin Validation in WebSockets
CVE-2026-1698
Matching Score-8
Assigner-ARC Informatique
ShareView Details
Matching Score-8
Assigner-ARC Informatique
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 10.80%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 07:58
Updated-26 Mar, 2026 | 08:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP Host header vulnerability in WebClient and WebScheduler web apps

A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that manipulate server-side behavior. This vulnerability only affects the endpoints /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback and /Authentication/Logout of the WebClient and WebScheduler web apps.

Action-Not Available
Vendor-arcinfoPcVue (ARC Informatique)
Product-pcvuePcVue
CWE ID-CWE-644
Improper Neutralization of HTTP Headers for Scripting Syntax
CVE-2026-1694
Matching Score-8
Assigner-ARC Informatique
ShareView Details
Matching Score-8
Assigner-ARC Informatique
CVSS Score-2.3||LOW
EPSS-0.17% / 6.46%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 07:56
Updated-26 Mar, 2026 | 08:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server configuration details in HTTP headers

HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It unnecessarily exposes sensitive information about the server configuration.

Action-Not Available
Vendor-arcinfoPcVue (ARC Informatique)
Product-pcvuePcVue
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2016-10875
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.92% / 56.02%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 14:54
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wp-database-backup plugin before 4.3.1 for WordPress has XSS.

Action-Not Available
Vendor-wpseedsn/a
Product-wp_database_backupn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-4476
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 33.81%
||
7 Day CHG~0.00%
Published-25 Sep, 2023 | 15:56
Updated-23 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Locatoraid Store Locator < 3.9.24 - Reflected XSS

The Locatoraid Store Locator WordPress plugin before 3.9.24 does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-plainwareUnknown
Product-locatoraidLocatoraid Store Locator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20528
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.91% / 55.46%
||
7 Day CHG~0.00%
Published-18 Mar, 2020 | 18:36
Updated-05 Aug, 2024 | 02:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter.

Action-Not Available
Vendor-igniterealtimen/a
Product-openfiren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20152
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.67% / 47.38%
||
7 Day CHG~0.00%
Published-20 Aug, 2020 | 12:37
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed throughout the application. A malicious payload can be injected within the Custom Workflow component and inserted via the Create New Workflow field. As a result, the payload is executed via the navigation bar throughout the application.

Action-Not Available
Vendor-treasuryxpressn/a
Product-treasuryxpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10975
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.96% / 57.08%
||
7 Day CHG~0.00%
Published-17 Sep, 2019 | 14:03
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has reflected XSS via the skin parameter.

Action-Not Available
Vendor-tonjoostudion/a
Product-fluid-responsive-slideshown/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10998
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.94% / 56.66%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 14:29
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ocim-mp3 plugin through 2016-03-07 for WordPress has wp-content/plugins/ocim-mp3/source/pages.php?id= XSS.

Action-Not Available
Vendor-ocimscriptsn/a
Product-ocim-mp3n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-4493
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 32.23%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 12:24
Updated-05 Sep, 2024 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Address Book Web Server Stored XSS vulnerability

Stored Cross-Site Scripting in Easy Address Book Web Server 1.6 version, through the users_admin.ghp file that affects multiple parameters such as (firstname, homephone, lastname, lastname, middlename, workaddress, workcity, workcountry, workphone, workstate, workzip). This vulnerability allows a remote attacker to store a malicious JavaScript payload in the application to be executed when the page is loaded, resulting in an integrity impact.

Action-Not Available
Vendor-easy_address_book_web_server_projectEFS Software
Product-easy_address_book_web_serverEasy Address Book Web Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10941
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.23% / 65.15%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 11:52
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF.

Action-Not Available
Vendor-podloven/a
Product-podlove_podcast_publishern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44753
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 16.36%
||
7 Day CHG~0.00%
Published-22 Apr, 2025 | 00:00
Updated-24 Apr, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability fin Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter on the profile.php page.

Action-Not Available
Vendor-n/amayuri_k
Product-online_student_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44089
Matching Score-4
Assigner-Pandora FMS
ShareView Details
Matching Score-4
Assigner-Pandora FMS
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 16.38%
||
7 Day CHG~0.00%
Published-29 Dec, 2023 | 11:50
Updated-17 Sep, 2024 | 13:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Visual Console

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). It was possible to execute malicious JS code on Visual Consoles. This issue affects Pandora FMS: from 700 through 774.

Action-Not Available
Vendor-Pandora FMS S.L.U.
Product-pandora_fmsPandora FMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10961
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.02% / 59.16%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 12:23
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.

Action-Not Available
Vendor-inkthemesn/a
Product-colorwayn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10878
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.98% / 57.84%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 14:52
Updated-07 May, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS.

Action-Not Available
Vendor-wepluginsn/a
Product-wp_mapsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10979
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.90% / 55.39%
||
7 Day CHG~0.00%
Published-17 Sep, 2019 | 14:09
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The fossura-tag-miner plugin before 1.1.5 for WordPress has XSS.

Action-Not Available
Vendor-fossuran/a
Product-tag_minern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20803
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.81% / 76.03%
||
7 Day CHG~0.00%
Published-21 May, 2020 | 21:51
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.

Action-Not Available
Vendor-gilacmsn/a
Product-gila_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10976
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.51% / 71.25%
||
7 Day CHG~0.00%
Published-17 Sep, 2019 | 14:05
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The safe-editor plugin before 1.2 for WordPress has no se_save authentication, with resultant XSS.

Action-Not Available
Vendor-kodebyraaetn/a
Product-safe_editorn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20222
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.67% / 47.38%
||
7 Day CHG~0.00%
Published-02 Jan, 2020 | 04:30
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Support Incident Tracker (SiT!) 3.67, the Short Application Name and Application Name inputs in the config.php page are affected by XSS.

Action-Not Available
Vendor-sitrackern/a
Product-support_incident_trackern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10963
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.90% / 55.39%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 12:26
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The icegram plugin before 1.9.19 for WordPress has XSS.

Action-Not Available
Vendor-icegramn/a
Product-icegram_engagen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-42975
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 14.17%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 02:10
Updated-13 Aug, 2025 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document)

SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a URL link which, when accessed on the BIC Document application, embeds a malicious script. When a victim clicks on this link, the script executes in the victim's browser, allowing the attacker to access and/or modify information related to the web client without affecting availability.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server ABAP (BIC Document)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20921
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.74% / 74.94%
||
7 Day CHG~0.00%
Published-30 Sep, 2020 | 12:30
Updated-25 Nov, 2024 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.

Action-Not Available
Vendor-snapappointmentsn/a
Product-bootstrap-selectn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20211
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.58% / 83.33%
||
7 Day CHG~0.00%
Published-13 Jan, 2020 | 17:39
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website.

Action-Not Available
Vendor-cththemesn/a
Product-easybooktownhubcitybookn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10984
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.36% / 68.43%
||
7 Day CHG~0.00%
Published-17 Sep, 2019 | 14:22
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The echosign plugin before 1.2 for WordPress has XSS via the inc.php page parameter.

Action-Not Available
Vendor-smackcodersn/a
Product-echo_signn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44012
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.26% / 65.97%
||
7 Day CHG~0.00%
Published-02 Oct, 2023 | 00:00
Updated-23 Sep, 2024 | 17:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the helpkey parameter in the Help.aspx component.

Action-Not Available
Vendor-mojoportaln/a
Product-mojoportaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10969
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.05% / 59.99%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 12:37
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The supportflow plugin before 0.7 for WordPress has XSS via a discussion ticket title.

Action-Not Available
Vendor-supportflow_projectn/a
Product-supportflown/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10999
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.94% / 56.65%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 14:31
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Goodnews theme through 2016-02-28 for WordPress has XSS via the s parameter.

Action-Not Available
Vendor-momizatn/a
Product-goodnewsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-43906
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 28.94%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 00:00
Updated-11 Sep, 2024 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Xolo CMS v0.11 was discovered to contain a reflected cross-site scripting (XSS) vulnerability.

Action-Not Available
Vendor-onworksn/a
Product-xolo_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-41079
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.1||MEDIUM
EPSS-0.16% / 5.66%
||
7 Day CHG~0.00%
Published-04 Dec, 2025 | 11:48
Updated-05 Dec, 2025 | 23:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple vulnerabilities in Seafile

A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/user/'.

Action-Not Available
Vendor-seafileSeafile
Product-seafileSeafile
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10967
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.02% / 59.17%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 12:34
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.

Action-Not Available
Vendor-creativeinteractivemedian/a
Product-real3d_flipbookn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10872
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.05% / 59.99%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:24
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2012-1872
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.1||MEDIUM
EPSS-6.35% / 92.80%
||
7 Day CHG~0.00%
Published-12 Jun, 2012 | 22:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 6 through 9 allows remote attackers to inject arbitrary web script or HTML via crafted character sequences with EUC-JP encoding, aka "EUC-JP Character Encoding Vulnerability."

Action-Not Available
Vendor-n/aMicrosoft Corporation
Product-internet_explorerwindows_vistawindows_7windows_xpn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-45070
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.35% / 27.47%
||
7 Day CHG~0.00%
Published-18 Oct, 2023 | 12:34
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Form Maker by 10Web Plugin <= 1.15.18 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in 10Web Form Builder Team Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin <= 1.15.18 versions.

Action-Not Available
Vendor-10Web (TenWeb, Inc.)
Product-form_makerForm Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20511
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.7||MEDIUM
EPSS-0.68% / 47.66%
||
7 Day CHG~0.00%
Published-18 Mar, 2020 | 17:41
Updated-05 Aug, 2024 | 02:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ERPNext 11.1.47 allows blog?blog_category= Frame Injection.

Action-Not Available
Vendor-frappen/a
Product-erpnextn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20363
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.41% / 69.40%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 16:27
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents.

Action-Not Available
Vendor-igniterealtimen/a
Product-openfiren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10957
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.02% / 59.17%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 12:06
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Akal theme through 2016-08-22 for WordPress has XSS via the framework/brad-shortcodes/tinymce/preview.php sc parameter.

Action-Not Available
Vendor-akal_projectn/a
Product-akaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-11082
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.69% / 48.05%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:29
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44245
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.35% / 27.09%
||
7 Day CHG~0.00%
Published-02 Oct, 2023 | 09:58
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contractor Contact Form Website to Workflow Tool Plugin <= 4.0.0 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Leap Contractor Contact Form Website to Workflow Tool plugin <= 4.0.0 versions.

Action-Not Available
Vendor-leaptodigitalLeap
Product-contact_form_website_to_workflow_toolContractor Contact Form Website to Workflow Tool
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-1224
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.1||MEDIUM
EPSS-1.59% / 72.65%
||
7 Day CHG~0.00%
Published-19 Jun, 2016 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CRLF injection vulnerability in Trend Micro Worry-Free Business Security Service 5.x and Worry-Free Business Security 9.0 allows remote attackers to inject arbitrary HTTP headers and conduct cross-site scripting (XSS) attacks via unspecified vectors.

Action-Not Available
Vendor-n/aTrend Micro Incorporated
Product-worry-free_business_security_servicesworry-free_business_securityn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10981
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.96% / 57.08%
||
7 Day CHG~0.00%
Published-17 Sep, 2019 | 14:15
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The kento-post-view-counter plugin through 2.8 for WordPress has stored XSS via kento_pvc_numbers_lang, kento_pvc_today_text, or kento_pvc_total_text.

Action-Not Available
Vendor-kentothemesn/a
Product-kento-post-view-countern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10952
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.39% / 69.02%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 12:13
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter.

Action-Not Available
Vendor-quotes_collection_projectn/a
Product-quotes_collectionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24303
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.97% / 77.93%
||
7 Day CHG+0.14%
Published-28 Oct, 2020 | 13:25
Updated-04 Aug, 2024 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

Action-Not Available
Vendor-n/aGrafana Labs
Product-grafanan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10973
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.97% / 77.99%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 16:41
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php.

Action-Not Available
Vendor-braftonn/a
Product-braftonn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25033
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.98% / 57.80%
||
7 Day CHG~0.00%
Published-31 Aug, 2020 | 04:06
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin 1.3.1 for WordPress allows subscribe_sidebar.php&status= reflected XSS.

Action-Not Available
Vendor-blubrryn/a
Product-subscribe_sidebarn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10893
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.52% / 71.57%
||
7 Day CHG+0.20%
Published-20 Aug, 2019 | 00:00
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The crayon-syntax-highlighter plugin before 2.8.4 for WordPress has multiple XSS issues via AJAX requests.

Action-Not Available
Vendor-crayon_syntax_highlighter_projectn/a
Product-crayon_syntax_highlightern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-11001
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.18% / 63.78%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 14:35
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The user-submitted-posts plugin before 20160215 for WordPress has XSS via the user-submitted-content field.

Action-Not Available
Vendor-plugin-planetn/a
Product-user_submitted_postsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-11073
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.69% / 48.05%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:26
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-11079
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.69% / 48.05%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:28
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-1113
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-6.1||MEDIUM
EPSS-3.06% / 85.97%
||
7 Day CHG~0.00%
Published-11 May, 2016 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aAdobe Inc.
Product-coldfusionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 210
  • 211
  • Next
Details not found