| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through <= 6.5.2. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Creative Brahma Multifox Plus multifox-plus allows DOM-Based XSS.This issue affects Multifox Plus: from n/a through <= 1.1.6. |
| A security flaw has been discovered in Ruijie NBR2100G-E up to 20250919. Affected by this issue is the function listAction of the file /itbox_pi/branch_passw.php?a=list. Performing manipulation of the argument city results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Jégo Map Store Locator map-store-location allows DOM-Based XSS.This issue affects Map Store Locator: from n/a through <= 1.2.1. |
| All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches.
However, the library follows these conventions which can be abused:
1. It trusts branch names as they are (plain text)
2. It spawns git commands by concatenating user input
Since a branch name is potentially a user input - as users can create branches remotely via pull requests, or simply due to privileged access to a repository - it can effectively be abused to run any command. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in midori scrollup scrollup allows DOM-Based XSS.This issue affects scrollup: from n/a through <= 1.1. |
| This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maruf Arafat VP Sitemap vp-sitemap allows Stored XSS.This issue affects VP Sitemap: from n/a through <= 1.0. |
| The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sazzad Testimonial Slider Shortcode testimonial-slider-shortcode allows Stored XSS.This issue affects Testimonial Slider Shortcode: from n/a through <= 1.1.9. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asaduzzaman Abir Rig Elements For Elementor rig-elements allows DOM-Based XSS.This issue affects Rig Elements For Elementor: from n/a through <= 1.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jakir Hasan Blocks Post Grid blocks-post-grid allows DOM-Based XSS.This issue affects Blocks Post Grid: from n/a through <= 1.0.3. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saif Kings Tab Slider kings-tab-slider allows DOM-Based XSS.This issue affects Kings Tab Slider: from n/a through <= 1.0. |
| The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers spoof their IP address and submit forms that may have IP-based restrictions. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dozyde Cookie Nonsense for YT yt-cookie-nonsense allows DOM-Based XSS.This issue affects Cookie Nonsense for YT: from n/a through <= 1.2.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uri Lazcano Ekiline Block Collection ekiline-block-collection allows DOM-Based XSS.This issue affects Ekiline Block Collection: from n/a through <= 1.0.5. |
| Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. If this gap is successfully exploited, a local, authenticated user with Administrator privileges can improperly load the driver as a generic kernel service. This triggers the flaw, causing a system crash (Blue-Screen-of-Death) and resulting in a Denial of Service (DoS) for the affected machine. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sam Perrow Fast Video and Image Display fast-video-and-image-display allows DOM-Based XSS.This issue affects Fast Video and Image Display: from n/a through <= 2.5.2. |
| The TwentyTwenty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'twentytwenty' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Airbyte is a data integration platform for ELT pipelines. Airbyte connection builder docker image is vulnerable to RCE via SSTI which allows an authenticated remote attacker to execute arbitrary code on the server as the web server user. The connection builder is used to create and test new connectors. Sensitive information, such as credentials, could be exposed if a user tested a new connector on a compromised instance. The connection builder does not have access to any data processes. This vulnerability is fixed in 0.62.2. |
