| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Taylor Child Themes child-themes allows Reflected XSS.This issue affects Child Themes: from n/a through <= 1.0.1. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in selloio Sello ChannelConnector sello-channelconnector allows Reflected XSS.This issue affects Sello ChannelConnector: from n/a through <= 1.6.3. |
| The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_iframe_url_as_param_direct’ parameter in versions up to, and including, 2024.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Reflected XSS.This issue affects Contact Form by Supsystic: from n/a through <= 1.7.36. |
| The Subscribe2 – Form, Email Subscribers & Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ip parameter in all versions up to, and including, 10.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juergen Schulze Emu2 emu2-email-users-2 allows Reflected XSS.This issue affects Emu2: from n/a through <= 0.83b. |
| The Simple Basic Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘scf_email’ parameter in versions up to, and including, 20221201 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| A vulnerability, which was classified as problematic, has been found in SIAM Industria de Automação e Monitoramento SIAM 2.0. This issue affects some unknown processing of the file /qrcode.jsp. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| A vulnerability, which was classified as problematic, was found in Internet Web Solutions Sublime CRM up to 20250207. Affected is an unknown function of the file /crm/inicio.php of the component HTTP POST Request Handler. The manipulation of the argument msg_to leads to cross site scripting. It is possible to launch the attack remotely. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. |
| Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS's 'ngSanitize' module allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images.
This issue affects AngularJS versions greater than or equal to 1.3.1.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . |
| Insecure Direct Object Reference (IDOR) vulnerability in TelegAI (telegai.com) thru 2025-05-26 in its chat component. An attacker can exploit this IDOR to tamper other users' conversation. Additionally, malicious contents and XSS payloads can be injected, leading to phishing attack, user spoofing and account hijacking via XSS. |
| The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SilkyPress Multi-Step Checkout for WooCommerce wp-multi-step-checkout allows DOM-Based XSS.This issue affects Multi-Step Checkout for WooCommerce: from n/a through <= 2.33. |
| Stored Cross-Site Scripting (XSS) in TelegAI (telegai.com) 2025-05-26 in its chat component and character container component. An attacker can achieve arbitrary client-side script execution by crafting an AI Character with SVG XSS payloads in either description, greeting, example dialog, or system prompt(instructing the LLM to embed XSS payload in its chat response). When a user interacts with such a malicious AI Character or just browse its profile, the script executes in the user's browser. Successful exploitation can lead to the theft of sensitive information, such as session tokens, potentially resulting in account hijacking. |
| A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access. |
| A vulnerability has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This vulnerability affects unknown code of the file /index.php/sysmanage/Login. Such manipulation of the argument Name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pco_58 WC Return products wc-return-product allows Reflected XSS.This issue affects WC Return products: from n/a through <= 1.5. |
| The ShMapper by Teplitsa plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shmMap' shortcode in all versions up to, and including, 1.4.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Stored Cross-Site Scripting (XSS) vulnerability in Chaindesk thru 2025-05-26 in its agent chat component. An attacker can achieve arbitrary client-side script execution by crafting an AI agent whose system prompt instructs the underlying Large Language Model (LLM) to embed malicious script payloads (e.g., SVG-based XSS) into its chat responses. When a user interacts with such a malicious agent or accesses a direct link to a conversation containing an XSS payload, the script executes in the user's browser. Successful exploitation can lead to the theft of sensitive information, such as JWT session tokens, potentially resulting in account hijacking. |
