Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-4770

Summary
Assigner-TR-CERT
Assigner Org ID-ca940d4e-fea4-4aa2-9a58-591a58b1ce21
Published At-02 Jul, 2026 | 12:37
Updated At-02 Jul, 2026 | 13:15
Rejected At-
Credits

DOM-Based XSS in TR7's WAF-ASP

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. Web Application Firewall allows DOM-Based XSS. This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:TR-CERT
Assigner Org ID:ca940d4e-fea4-4aa2-9a58-591a58b1ce21
Published At:02 Jul, 2026 | 12:37
Updated At:02 Jul, 2026 | 13:15
Rejected At:
▼CVE Numbering Authority (CNA)
DOM-Based XSS in TR7's WAF-ASP

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. Web Application Firewall allows DOM-Based XSS. This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117.

Affected Products
Vendor
TR7 Cyber ​​Defense Inc.
Product
WAF-ASP
Default Status
unaffected
Versions
Affected
  • From v1.0.42.239 before v1.4.0.117 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')
Metrics
VersionBase scoreBase severityVector
3.14.6MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 4.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-588CAPEC-588 DOM-Based XSS
CAPEC ID: CAPEC-588
Description: CAPEC-588 DOM-Based XSS
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Serhat YAPICI
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0487
government-resource
Hyperlink: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0487
Resource:
government-resource
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:iletisim@usom.gov.tr
Published At:02 Jul, 2026 | 13:16
Updated At:02 Jul, 2026 | 15:13

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. Web Application Firewall allows DOM-Based XSS. This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.6MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 4.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-79Secondaryiletisim@usom.gov.tr
CWE ID: CWE-79
Type: Secondary
Source: iletisim@usom.gov.tr
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0487iletisim@usom.gov.tr
N/A
Hyperlink: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0487
Source: iletisim@usom.gov.tr
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

244Records found

CVE-2015-9426
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-1.04% / 59.93%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 00:44
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter.

Action-Not Available
Vendor-manual_image_crop_projectn/a
Product-manual_image_cropn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-25873
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-4.6||MEDIUM
EPSS-0.66% / 47.04%
||
7 Day CHG+0.02%
Published-18 Sep, 2022 | 14:55
Updated-17 Sep, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS)

The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.

Action-Not Available
Vendor-vuetifyjsn/a
Product-vuetifyvuetify
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-47638
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.51% / 39.43%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:05
Updated-01 Jul, 2026 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serverMicrosoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-47640
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.51% / 39.43%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:05
Updated-01 Jul, 2026 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serverMicrosoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48562
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.51% / 39.43%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:05
Updated-01 Jul, 2026 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Microsoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-47637
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.51% / 39.43%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:05
Updated-01 Jul, 2026 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serverMicrosoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-7429
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-2.1||LOW
EPSS-0.17% / 6.09%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 19:45
Updated-04 May, 2026 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSCMS v7.4.0 Reflected Cross-Site Scripting via STL Processing

SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.

Action-Not Available
Vendor-siteserver
Product-SSCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-46609
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.14% / 3.39%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 15:59
Updated-12 Jun, 2026 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.

Action-Not Available
Vendor-Umbraco A/S (Umbraco)
Product-umbraco_cmsUmbraco-CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-45462
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.51% / 39.43%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:05
Updated-01 Jul, 2026 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Microsoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-45483
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.51% / 39.43%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:04
Updated-01 Jul, 2026 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Office Project Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Project Server allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serverMicrosoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-45479
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.51% / 39.43%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:04
Updated-01 Jul, 2026 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serverMicrosoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-45468
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.51% / 39.43%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:04
Updated-01 Jul, 2026 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serverMicrosoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-45106
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.21% / 10.96%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 19:56
Updated-11 Jun, 2026 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weblate: Stored HTML injection in editor search preview

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.

Action-Not Available
Vendor-WeblateOrg
Product-weblate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-43057
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.41% / 33.40%
||
7 Day CHG~0.00%
Published-11 Nov, 2023 | 15:31
Updated-03 Sep, 2024 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM QRadar SIEM cross-site scripting

IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 267484.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_security_information_and_event_managerIBM QRadar SIEM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-32426
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.20% / 9.82%
||
7 Day CHG+0.02%
Published-11 Apr, 2025 | 13:42
Updated-29 Sep, 2025 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Formie has a XSS vulnerability for email notification content for preview

Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.

Action-Not Available
Vendor-verbbverbb
Product-formieformie
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-32391
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.28% / 19.75%
||
7 Day CHG+0.02%
Published-10 Apr, 2025 | 13:11
Updated-17 Sep, 2025 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HedgeDoc allows XSS possibility through malicious SVG uploads

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.3, a malicious SVG file uploaded to HedgeDoc results in the possibility of XSS when opened in a new tab instead of the editor itself. The XSS is possible by exploiting the JSONP capabilities of GitHub Gist embeddings. Only instances with the local filesystem upload backend or special configurations, where the uploads are served from the same domain as HedgeDoc, are vulnerable. This vulnerability is fixed in 1.10.3. When upgrading to HedgeDoc 1.10.3 is not possible, instance owners could add the following headers for all routes under /uploads as a first-countermeasure: Content-Disposition: attachment and Content-Security-Policy: default-src 'none'. Additionally, the external URLs in the script-src attribute of the Content-Security-Policy header should be removed.

Action-Not Available
Vendor-hedgedochedgedoc
Product-hedgedochedgedoc
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31286
Matching Score-4
Assigner-Trend Micro, Inc.
ShareView Details
Matching Score-4
Assigner-Trend Micro, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.38% / 30.38%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 16:39
Updated-02 Sep, 2025 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An HTML injection vulnerability previously discovered in Trend Vision One could have allowed a malicious user to execute arbitrary code. Please note: this issue has already been addressed on the backend service and is no longer considered an active vulnerability.

Action-Not Available
Vendor-Trend Micro Incorporated
Product-trend_vision_oneTrend Vision One
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31140
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-26.62% / 97.77%
||
7 Day CHG+9.77%
Published-27 Mar, 2025 | 11:24
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page

Action-Not Available
Vendor-JetBrains s.r.o.
Product-TeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-42857
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.21% / 11.29%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 17:32
Updated-13 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.

Action-Not Available
Vendor-openedxopenedx
Product-openedxopenedx-platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-30149
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.30% / 21.60%
||
7 Day CHG+0.02%
Published-31 Mar, 2025 | 16:07
Updated-30 Apr, 2025 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenEMR Reflected XSS in AJAX Script

OpenEMR is a free and open source electronic health records and medical practice management application. OpenEMR allows reflected cross-site scripting (XSS) in the AJAX Script interface\super\layout_listitems_ajax.php via the target parameter. This vulnerability is fixed in 7.0.3.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-29322
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.24% / 14.77%
||
7 Day CHG+0.02%
Published-26 Mar, 2025 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in ScriptCase before v1.0.003 - Build 3 allows attackers to execute arbitrary code via a crafted payload to the "Connection Name" in the New Connection and Rename Connection pages.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-27379
Matching Score-4
Assigner-4760f414-e1ae-4ff1-bdad-c7a9c3538b79
ShareView Details
Matching Score-4
Assigner-4760f414-e1ae-4ff1-bdad-c7a9c3538b79
CVSS Score-6.8||MEDIUM
EPSS-0.20% / 10.08%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 01:17
Updated-26 Feb, 2026 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-Site Scripting in AES BOM Viewer

A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content.

Action-Not Available
Vendor-altiumAltium
Product-on-prem_enterprise_serverAES
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-26091
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.28% / 19.43%
||
7 Day CHG~0.00%
Published-04 Mar, 2025 | 00:00
Updated-21 May, 2025 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting (XSS) vulnerability exists in TeamPasswordManager v12.162.284 and before that could allow a remote attacker to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'name' parameter when creating a new password in the "My Passwords" page.

Action-Not Available
Vendor-teampasswordmanagern/a
Product-team_password_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-26493
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-0.35% / 26.86%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 13:56
Updated-11 Feb, 2025 | 14:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab

Action-Not Available
Vendor-JetBrains s.r.o.
Product-TeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24459
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-2.73% / 84.30%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 17:23
Updated-30 Jan, 2025 | 21:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23200
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-30.85% / 98.03%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 22:20
Updated-25 Mar, 2025 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS-LibreNMS-Misc Section in librenms

librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: `ajax_form.php` -> param: state. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-LibreNMS
Product-librenmslibrenms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41249
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-53.13% / 98.85%
||
7 Day CHG~0.00%
Published-25 Aug, 2023 | 12:58
Updated-27 Sep, 2024 | 21:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during copying Build Step

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-45467
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.51% / 39.43%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:04
Updated-01 Jul, 2026 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serverMicrosoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23199
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-1.22% / 65.02%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 22:23
Updated-25 Mar, 2025 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS-LibreNMS-Ports in librenms

librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: `/ajax_form.php` -> param: descr. Librenms version up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-LibreNMS
Product-librenmslibrenms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22383
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.21% / 11.85%
||
7 Day CHG~0.00%
Published-04 Jan, 2025 | 00:00
Updated-20 May, 2025 | 20:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity input validation issue exists in the Commerce B2B application, affecting the Contact Us functionality. This allows visitors to send e-mail messages that could contain unfiltered HTML markup in specific scenarios.

Action-Not Available
Vendor-optimizelyn/a
Product-configured_commercen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0743
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.6||MEDIUM
EPSS-1.34% / 67.91%
||
7 Day CHG~0.00%
Published-28 Feb, 2022 | 23:00
Updated-02 Aug, 2024 | 23:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in getgrav/grav

Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.

Action-Not Available
Vendor-getgravgetgrav
Product-gravgetgrav/grav
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24012
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.26% / 17.09%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 15:32
Updated-20 Feb, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Umbraco Backoffice Components Have XSS/HTML Injection Vulnerability

Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch.

Action-Not Available
Vendor-Umbraco A/S (Umbraco)
Product-umbraco_cmsUmbraco-CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-40170
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.54% / 41.52%
||
7 Day CHG~0.00%
Published-28 Aug, 2023 | 20:01
Updated-13 Feb, 2025 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
cross-site inclusion (XSSI) of files in jupyter-server

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.

Action-Not Available
Vendor-jupyterjupyter-server
Product-jupyter_serverjupyter_server
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-40684
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.32% / 23.96%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 13:38
Updated-19 Sep, 2024 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Content Navigator cross-site scripting

IBM Content Navigator 3.0.11, 3.0.13, and 3.0.14 with IBM Daeja ViewOne Virtual is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 264019.

Action-Not Available
Vendor-IBM Corporation
Product-content_navigatorContent Navigator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1548
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.31% / 23.05%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 17:00
Updated-04 Apr, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iteachyou Dreamer CMS edit cross site scripting

A vulnerability was found in iteachyou Dreamer CMS 4.1.3. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/archives/edit. The manipulation of the argument editorValue/answer/content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-iteachyouiteachyou
Product-dreamer_cmsDreamer CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-23198
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.35% / 26.85%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 22:26
Updated-28 Apr, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored-XSS-LibreNMS-Display-Name in librenms

librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-LibreNMS
Product-librenmslibrenms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-39175
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-0.91% / 55.59%
||
7 Day CHG~0.00%
Published-25 Jul, 2023 | 14:45
Updated-15 Oct, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2023.05.2 reflected XSS via GitHub integration was possible

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-38063
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-0.90% / 55.26%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 12:48
Updated-23 Oct, 2024 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2023.05.1 stored XSS while running custom builds was possible

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-38065
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-0.90% / 55.26%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 12:48
Updated-22 Oct, 2024 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2023.05.1 stored XSS while viewing the build log was possible

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-38066
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-0.91% / 55.59%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 12:48
Updated-21 Oct, 2024 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2023.05.1 reflected XSS via the Referer header was possible during artifact downloads

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43080
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.36% / 27.67%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 15:15
Updated-22 Oct, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.2.0, version 6.4.0 through 6.4.9, version 7.0.0 through 7.0.5 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack through the URI parameter via the Threat Feed IP address section of the Security Fabric External connectors.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortinet FortiOS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-35015
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.22% / 12.57%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 19:40
Updated-21 May, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via do_unit_mail.php the_ticket Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in do_unit_mail.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the the_ticket GET parameter directly into a JavaScript variable assignment. Attackers can craft a malicious URL containing a JavaScript payload in the the_ticket parameter that executes in the victim's browser when the URL is visited.

Action-Not Available
Vendor-openises
Product-tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-35008
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.22% / 12.57%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 19:34
Updated-21 May, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via single.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim's browser when the URL is visited.

Action-Not Available
Vendor-openises
Product-tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-35012
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.22% / 12.57%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 19:38
Updated-21 May, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via add_facnote.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_facnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited.

Action-Not Available
Vendor-openises
Product-tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-20208
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.24% / 14.97%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 16:50
Updated-25 Mar, 2025 | 12:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) could allow a low-privileged, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-telepresence_management_suiteCisco TelePresence Management Suite (TMS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35394
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.93% / 56.14%
||
7 Day CHG~0.00%
Published-08 Aug, 2023 | 17:08
Updated-11 Feb, 2026 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure HDInsight Jupyter Notebook Spoofing Vulnerability

Azure HDInsight Jupyter Notebook Spoofing Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_hdinsightAzure HDInsight
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35905
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.32% / 23.96%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 00:38
Updated-19 Sep, 2024 | 19:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM FileNet Content Manager cross-site scripting

IBM FileNet Content Manager 5.5.8, 5.5.10, and 5.5.11 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 259384.

Action-Not Available
Vendor-IBM Corporation
Product-filenet_content_managerFileNet Content Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-35016
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.22% / 12.57%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 19:41
Updated-21 May, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via search.php frm_query Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_query POST parameter directly into an HTML input field VALUE attribute. Attackers can craft a malicious request containing a JavaScript payload in the frm_query parameter that executes in the victim's browser when submitted.

Action-Not Available
Vendor-openises
Product-tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-35009
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.22% / 12.57%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 19:36
Updated-21 May, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via add_note.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_note.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited.

Action-Not Available
Vendor-openises
Product-tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-35014
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.23% / 13.59%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 19:40
Updated-21 May, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via routes_nm.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited.

Action-Not Available
Vendor-openises
Product-tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found