Export limit exceeded: 46645 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46645 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34077 | 3 Remix-run, Shopify, Turbo-stream | 4 React-router, Turbo-stream, React-router and 1 more | 2026-06-04 | 7.5 High |
| React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2. | ||||
| CVE-2026-33245 | 2 Remix-run, Shopify | 2 React-router, React-router | 2026-06-04 | 8 High |
| React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2. | ||||
| CVE-2026-42929 | 2 Danelec, Macgregor | 3 Macgregor Voyage Data Recorder (vdr) G4e, Interschalt Vdr G4e, Interschalt Vdr G4e Firmware | 2026-06-04 | 8.3 High |
| Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials. | ||||
| CVE-2026-7299 | 1 Appsmith | 1 Appsmith | 2026-06-04 | 6.3 Medium |
| Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource. | ||||
| CVE-2026-43984 | 1 Tautulli | 1 Tautulli | 2026-06-04 | 8.9 High |
| Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only `logFile` view then reads that log file and embeds it into an HTML response without escaping. This creates a stored cross-site scripting condition where a low-privilege guest can inject HTML or JavaScript into the log file and have it execute in an administrator's browser when the log viewer is opened. Version 2.17.1 patches the issue. | ||||
| CVE-2022-50957 | 1 Avatar Uploader Project | 1 Avatar Uploader | 2026-06-04 | 6.1 Medium |
| Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2026-10810 | 1 Itsourcecode | 1 Fees Management System | 2026-06-04 | 4.3 Medium |
| A weakness has been identified in itsourcecode Fees Management System up to 1.0. Affected is an unknown function of the file /navbar.php. This manipulation of the argument page causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-47323 | 1 Apache | 2 Apache Camel, Camel | 2026-06-04 | 9.8 Critical |
| Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code execution or arbitrary file writes. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177), the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453). This issue affects Apache Camel: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. | ||||
| CVE-2025-11960 | 1 Aryom | 1 Kvknet | 2026-06-04 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aryom Software High Technology Systems Inc. KVKNET allows Reflected XSS. This issue affects KVKNET: before 2.1.8. | ||||
| CVE-2025-11962 | 1 Divvydrive | 1 Digital Corporate Warehouse | 2026-06-04 | 7.3 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DivvyDrive Information Technologies Inc. Digital Corporate Warehouse allows Stored XSS. This issue affects Digital Corporate Warehouse: before v.4.8.2.22. | ||||
| CVE-2025-11963 | 1 Saysis | 1 Starcities | 2026-06-04 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities allows Reflected XSS. This issue affects StarCities: before 1.1.61. | ||||
| CVE-2025-13002 | 2 Farktor, Farktor Software E-commerce Services Inc. | 2 E-commerce Package, E-commerce Package | 2026-06-04 | 8.2 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS). This issue affects E-Commerce Package: through 27112025. | ||||
| CVE-2025-13127 | 2026-06-04 | 3.5 Low | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TAC Information Services Internal and External Trade Inc. GoldenHorn allows Cross-Site Scripting (XSS). This issue affects GoldenHorn: before 4.25.1121.1. | ||||
| CVE-2025-13183 | 2026-06-04 | 7.3 High | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hotech Software Inc. Otello allows Stored XSS. This issue affects Otello: from 2.4.0 before 2.4.4. | ||||
| CVE-2025-13505 | 1 Datateam | 1 Datactive | 2026-06-04 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Datateam Information Technologies Inc. Datactive allows Stored XSS. This issue affects Datactive: from 2.13.34 before 2.14.0.6. | ||||
| CVE-2025-14320 | 1 Tegsoft | 1 Online Support Application | 2026-06-04 | 9.8 Critical |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS. This issue affects Online Support Application: from V3 through 31122025. | ||||
| CVE-2025-14343 | 1 Dokuzsoft Technology | 1 E-commerce Product | 2026-06-04 | 7.6 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS. This issue affects E-Commerce Product: through 10122025. | ||||
| CVE-2025-14347 | 1 Proliz Software | 1 Obs | 2026-06-04 | 6.3 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. OBS (Student Affairs Information System)0 allows Reflected XSS. This issue affects OBS (Student Affairs Information System)0: before 26.5009. | ||||
| CVE-2026-39107 | 2026-06-03 | 6.3 Medium | ||
| A Cross Site Scripting vulnerability exists in the Kimi AI v1.0 web interface's 'Preview' feature. The application fails to properly sanitize or encode HTML/JavaScript payloads generated by the AI model. When a user switches to the 'Preview' tab to view AI-generated code, the malicious payload is rendered directly into the DOM, leading to arbitrary JavaScript execution in the victim's browser session. | ||||
| CVE-2026-42840 | 1 Frappe | 1 Erpnext | 2026-06-03 | N/A |
| An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0. | ||||