Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-6956

Summary
Assigner-CERT-PL
Assigner Org ID-4bb8329e-dd38-46c1-aafb-9bf32bcb93c6
Published At-11 May, 2026 | 09:40
Updated At-11 May, 2026 | 12:40
Rejected At-
Credits

Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:CERT-PL
Assigner Org ID:4bb8329e-dd38-46c1-aafb-9bf32bcb93c6
Published At:11 May, 2026 | 09:40
Updated At:11 May, 2026 | 12:40
Rejected At:
▼CVE Numbering Authority (CNA)
Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Affected Products
Vendor
ATutor
Product
ATutor
Repo
https://github.com/atutor/ATutor
Default Status
unknown
Versions
Affected
  • 2.2.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-591CAPEC-591 Reflected XSS
CAPEC ID: CAPEC-591
Description: CAPEC-591 Reflected XSS
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Michał Majchrowicz (AFINE)
finder
Marcin Wyczechowski (AFINE)
finder
Pawel Zdunek (AFINE)
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://cert.pl/en/posts/2026/05/CVE-2026-6909
third-party-advisory
https://atutor.github.io/
product
Hyperlink: https://cert.pl/en/posts/2026/05/CVE-2026-6909
Resource:
third-party-advisory
Hyperlink: https://atutor.github.io/
Resource:
product
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cvd@cert.pl
Published At:11 May, 2026 | 10:16
Updated At:12 May, 2026 | 14:15

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-79Primarycvd@cert.pl
CWE ID: CWE-79
Type: Primary
Source: cvd@cert.pl
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://atutor.github.io/cvd@cert.pl
N/A
https://cert.pl/en/posts/2026/05/CVE-2026-6909cvd@cert.pl
N/A
Hyperlink: https://atutor.github.io/
Source: cvd@cert.pl
Resource: N/A
Hyperlink: https://cert.pl/en/posts/2026/05/CVE-2026-6909
Source: cvd@cert.pl
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

278Records found

CVE-2026-6909
Matching Score-10
Assigner-CERT.PL
ShareView Details
Matching Score-10
Assigner-CERT.PL
CVSS Score-5.1||MEDIUM
EPSS-0.39% / 31.07%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 09:40
Updated-12 May, 2026 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Action-Not Available
Vendor-ATutor
Product-ATutor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50681
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.18% / 8.02%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 19:53
Updated-30 Dec, 2025 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kentico Xperience <= 13.0.88 Rich Text Editor Reflected XSS

A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input fields in the Rich text editor component. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers.

Action-Not Available
Vendor-Kentico Software
Product-xperienceXperience
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50959
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 10.99%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form Builder 1.6.1 Cross-Site Scripting via code_generator.php

WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers.

Action-Not Available
Vendor-WpDevArt
Product-Contact Form Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50958
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.20% / 10.47%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php

WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers.

Action-Not Available
Vendor-jetpack
Product-Jetpack
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50970
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 6.90%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:13
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Plugin AAWP 3.16 Reflected XSS via tab Parameter

WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrary JavaScript in the context of authenticated users.

Action-Not Available
Vendor-Getaawp
Product-WordPress Plugin AAWP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50967
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.25% / 16.43%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
uBidAuction 2.0.1 tickets manage Reflected XSS

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

Action-Not Available
Vendor-uBidAuction
Product-uBidAuction
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50962
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.25% / 16.43%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
uBidAuction 2.0.1 myOrders Reflected XSS

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the orders/myOrders module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

Action-Not Available
Vendor-uBidAuction
Product-uBidAuction
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50968
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.25% / 16.44%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:13
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
uBidAuction 2.0.1 auctions manage Reflected XSS

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

Action-Not Available
Vendor-uBidAuction
Product-uBidAuction
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50963
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.25% / 15.85%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
uBidAuction 2.0.1 myAuctions active Reflected XSS

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

Action-Not Available
Vendor-uBidAuction
Product-uBidAuction
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50960
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.19% / 8.52%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-26 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress International Sms Contact Form 7 Integration 1.2 XSS

WordPress International SMS for Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers.

Action-Not Available
Vendor-Varun Sridharan
Product-International Sms For Contact Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50957
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.24% / 15.51%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-26 May, 2026 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS

Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.

Action-Not Available
Vendor-avatar_uploader
Product-avatar_uploader
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50891
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.24% / 15.48%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 22:51
Updated-07 Apr, 2026 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Owlfiles File Manager 12.0.1 Cross-Site Scripting via HTTP Server

Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScript in users' browsers.

Action-Not Available
Vendor-skyjosSkyjosApple Inc.
Product-visionosiphone_ostvosmacosowlfilesipadosOwlfiles File Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50966
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.25% / 16.43%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
uBidAuction 2.0.1 news manage Reflected XSS

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

Action-Not Available
Vendor-uBidAuction
Product-uBidAuction
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50964
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.25% / 16.43%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
uBidAuction 2.0.1 myAuctions loose Reflected XSS

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

Action-Not Available
Vendor-uBidAuction
Product-uBidAuction
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50896
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.33% / 24.58%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 22:56
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)

Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context.

Action-Not Available
Vendor-Testa
Product-Testa
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50802
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.30% / 21.41%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 22:42
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ETAP Safety Manager 1.0.0.32 Unauthenticated Reflected Cross-Site Scripting via Action Parameter

ETAP Safety Manager 1.0.0.32 contains a cross-site scripting vulnerability in the 'action' GET parameter that allows unauthenticated attackers to inject malicious HTML and JavaScript. Attackers can craft specially formed requests to execute arbitrary scripts in victim browser sessions, potentially stealing credentials or performing unauthorized actions.

Action-Not Available
Vendor-etaplightingETAP Lighting International NV
Product-etap_safety_managerETAP Safety Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50965
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.25% / 16.43%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
uBidAuction 2.0.1 posts manage Reflected XSS

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

Action-Not Available
Vendor-uBidAuction
Product-uBidAuction
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50969
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.25% / 16.44%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:13
Updated-24 May, 2026 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
uBidAuction 2.0.1 mailingLog manage Reflected XSS

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

Action-Not Available
Vendor-uBidAuction
Product-uBidAuction
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-50943
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.33% / 25.04%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 12:12
Updated-27 May, 2026 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Moodle LMS 4.0 Cross-Site Scripting via course search.php

Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies.

Action-Not Available
Vendor-Moodle Pty Ltd
Product-moodleMoodle LMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-20036
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.24% / 14.51%
||
7 Day CHG~0.00%
Published-15 Mar, 2026 | 18:34
Updated-24 May, 2026 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities

Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session.

Action-Not Available
Vendor-wowzaWowza Media Systems, LLC.
Product-streaming_engineWowza Streaming Engine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-25420
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.40% / 31.93%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 12:02
Updated-24 May, 2026 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via snat

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the snat endpoint. Attackers can send POST requests with JavaScript payloads in the port or snat_to_ip parameters to execute arbitrary scripts in users' browsers.

Action-Not Available
Vendor-comodoComodo
Product-dome_firewallComodo Dome Firewall
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-6841
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-5.1||MEDIUM
EPSS-0.24% / 14.29%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 11:49
Updated-01 Jun, 2026 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected XSS in Request Tracker

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

Action-Not Available
Vendor-Best PracticalBest Practical Solutions, LLC
Product-request_trackerRequest Tracker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-56809
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.1||MEDIUM
EPSS-0.19% / 8.45%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 06:02
Updated-30 Jun, 2026 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor contain a reflected cross-site scripting vulnerability. An arbitrary script may be executed on the web browser of the user who accesses Web Image Monitor.

Action-Not Available
Vendor-Ricoh Company, Ltd.
Product-Multiple laser printers and MFPs which implement Ricoh Web Image Monitor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-5790
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.1||MEDIUM
EPSS-0.26% / 17.11%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 12:30
Updated-14 May, 2026 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-Site Scripting (XSS) vulnerability in Stel Order

Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.

Action-Not Available
Vendor-Stel Order
Product-Stel Order
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-57958
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 6.48%
||
7 Day CHG~0.00%
Published-29 Jun, 2026 | 17:23
Updated-29 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mixpost 2.6.0 - Reflected XSS via OAuth Callback Error Parameter

Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.

Action-Not Available
Vendor-inovector
Product-mixpost
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-54386
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.24% / 14.93%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 21:37
Updated-23 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
marimo < 0.23.9 XSS via file Query Parameter in assets.py

marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal. Attackers can craft a malicious link with a payload beginning with __new__ to bypass the 404 check and inject JavaScript into the page, which executes without Content-Security-Policy restrictions in the origin of a victim's marimo server.

Action-Not Available
Vendor-marimo-team
Product-marimo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-54221
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-5.1||MEDIUM
EPSS-0.29% / 21.03%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 12:56
Updated-18 Jun, 2026 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected XSS in UBB.threads

UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, enabling attackers to execute arbitrary JavaScript in the context of a victim's browser by tricking them into clicking a crafted link.  Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.

Action-Not Available
Vendor-UBB Systems
Product-UBB.threads
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-50230
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.32% / 24.30%
||
7 Day CHG~0.00%
Published-05 Jun, 2026 | 13:24
Updated-05 Jun, 2026 | 19:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lyrion Music Server 9.2.0 Reflected XSS via server.log

Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search parameter to execute code in users' browsers within the context of the affected application.

Action-Not Available
Vendor-LMS Community
Product-Lyrion Music Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-50235
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.16% / 5.33%
||
7 Day CHG~0.00%
Published-05 Jun, 2026 | 13:24
Updated-05 Jun, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lyrion Music Server 9.2.0 Reflected XSS via search Parameters

Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScript in users' browsers and steal session information.

Action-Not Available
Vendor-LMS Community
Product-Lyrion Music Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-5010
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.1||MEDIUM
EPSS-0.27% / 19.03%
||
7 Day CHG~0.00%
Published-27 Mar, 2026 | 14:35
Updated-19 May, 2026 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected Cross-Site Scripting (XSS) in Sanoma’s Clickedu

A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by sending them a malicious URL using the endpoint “/user.php/”. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on the user’s behalf.

Action-Not Available
Vendor-Sanoma
Product-Clickedu
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48217
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:09
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via delete_module.php Multiple POST Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (module_choice, flag, confirmation) directly into rendered HTML content and form action attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48225
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.45%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:10
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via landb.php _type Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the _type POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48213
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 6.90%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 15:51
Updated-21 May, 2026 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via add.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48228
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 6.55%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:10
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via patient_w.php id and ticket_id Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48230
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.45%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:10
Updated-23 May, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via ticketsmdb_import.php Multiple POST Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix, ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix) directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48214
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:09
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via add_nm.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute and an inline JavaScript string literal. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13597
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-5.1||MEDIUM
EPSS-0.34% / 26.09%
||
7 Day CHG~0.00%
Published-14 Apr, 2025 | 12:04
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in iKSORIS

Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form sent to login panel at /softcom/ with a malicious script, what causes the script to run in user's context.  This vulnerability has been patched in version 79.0

Action-Not Available
Vendor-SoftCOM
Product-iKSORIS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48221
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:09
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via ics205a.php frm_add_str Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48227
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 6.55%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:10
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via patient.php id and ticket_id Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48222
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:09
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via ics213.php frm_add_str Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48219
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:09
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via ics202.php frm_add_str Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13598
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-5.1||MEDIUM
EPSS-0.20% / 10.23%
||
7 Day CHG~0.00%
Published-14 Apr, 2025 | 12:05
Updated-28 Oct, 2025 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in iKSORIS

Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. Using a functionality of creating new form fields one creates new parameters vulnerable to XSS attacks. A user tricked into filling such a form with a malicious script will run the code in their's context.  This vulnerability has been patched in version 79.0

Action-Not Available
Vendor-softcom.wrocSoftCOM
Product-iksorisiKSORIS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48229
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 6.55%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:10
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via routes_i.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48223
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:09
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via ics213rr.php frm_add_str Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48218
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.26% / 17.30%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:09
Updated-23 May, 2026 | 02:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via icons/buttons/landb.php frm_name and frm_id Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_name and frm_id POST parameters directly into rendered HTML content and inline JavaScript. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48226
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 6.55%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:10
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via os_watch.php ref and mode_orig Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ref and mode_orig POST parameters directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48216
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:09
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via db_loader.php Multiple POST Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix, db_schema) directly into HTML form input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48224
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.26% / 17.30%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:10
Updated-23 May, 2026 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via ics214.php frm_add_str Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48215
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 17:09
Updated-21 May, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open ISES Tickets < 3.44.2 Reflected XSS via circle.php frm_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Action-Not Available
Vendor-Open ISES
Product-Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13993
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.73% / 49.59%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:43
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 2024R1.1.2 Reflected XSS via Login Page on Older Browsers

Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found