CVEs classified under CWE-80, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2024-39363 — CVSS 9.6 (critical): A cross-site scripting (xss) vulnerability exists in the login.cgi set_lang_CountryCode() functionality of Wavlink AC3000…
CVE-2023-39216 — CVSS 9.6 (critical): Improper input validation in Zoom Desktop Client for Windows before 5.14.7 may allow an unauthenticated user to enable an escalation of…
CVE-2025-53883: A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability allows attackers to run arbitrary javascript…
CVE-2026-32891 — CVSS 9.0 (critical): Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions…
CVE-2026-57532: Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in…
CVE-2026-6002 — CVSS 8.8 (high): Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc…
CVE-2025-4278 — CVSS 8.7 (high): An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html…
CVE-2026-44369: CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to…
CVE-2023-32193 — CVSS 8.3 (high): A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited…
CVE-2023-32192 — CVSS 8.3 (high): A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in the API Server's public API endpoint can be…
CVE-2024-23841 — CVSS 8.2 (high): apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is…
CVE-2025-8029 — CVSS 8.1 (high): Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR…
CVE-2025-54346 — CVSS 7.6 (high): A Reflected Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to…
CVE-2024-35224 — CVSS 7.6 (high): OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature…
CVE-2022-0989 — CVSS 7.5 (high): An unprivileged user could use the functionality of the NS WooCommerce Watermark WordPress plugin through 2.11.3 to load images that hide…
CVE-2024-34507 — CVSS 7.4 (high): An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before…
CVE-2024-33423 — CVSS 7.4 (high): Cross-Site Scripting (XSS) vulnerability in the Settings menu of CMSimple v5.15 allows attackers to execute arbitrary web scripts or HTML…
CVE-2024-33831 — CVSS 7.4 (high): A stored cross-site scripting (XSS) vulnerability in the Advanced Expectation - Response module of yapi v1.10.2 allows attackers to execute…
CVE-2026-46492 — CVSS 7.2 (high): md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability…
CVE-2025-10496 — CVSS 7.2 (high): The Cookie Notice & Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uuid parameter in all versions up to…
CVE-2024-4439 — CVSS 7.2 (high): WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due…
CVE-2026-50146 — CVSS 7.1 (high): Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a…
CVE-2025-14835 — CVSS 7.1 (high): The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all…
CVE-2025-64764 — CVSS 7.1 (high): Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the…
CVE-2025-60244 — CVSS 7.1 (high): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable…
CVE-2025-31384 — CVSS 7.1 (high): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This…
CVE-2025-22501 — CVSS 7.1 (high): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Improve My City Improve My City…
CVE-2024-46910 — CVSS 7.1 (high): An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier…
CVE-2024-51689 — CVSS 7.1 (high): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Saleswonder Team: Tobias CF7 WOW Styler…
CVE-2024-8981 — CVSS 7.1 (high): The Broken Link Checker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg in…
CVE-2024-26282 — CVSS 7.1 (high): Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page. This vulnerability…
CVE-2024-26482 — CVSS 7.1 (high): An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: the vendor disputes the significance of…
CVE-2014-2353 — CVSS 7.1 (high): Cross-site scripting (XSS) vulnerability in Cogent DataHub before 7.3.5 allows remote attackers to inject arbitrary web script or HTML via…
CVE-2025-51989 — CVSS 7.0 (high): HTML injection vulnerability in the registration interface in Evolution Consulting Kft. HRmaster module v235 allows an attacker to inject…
CVE-2025-8386 — CVSS 6.9 (medium): The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects'…
CVE-2025-62415 — CVSS 6.9 (medium): Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with…
CVE-2024-47139 — CVSS 6.8 (medium): A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IQ Configuration utility that allows an attacker…
CVE-2022-36325 — CVSS 6.8 (medium): Affected devices do not properly sanitize data introduced by an user when rendering the web interface. This could allow an authenticated…
CVE-2020-4047 — CVSS 6.8 (medium): In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media…
CVE-2025-64225 — CVSS 6.5 (medium): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows…
CVE-2025-54348 — CVSS 6.5 (medium): A Stored Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to…
CVE-2025-49398 — CVSS 6.5 (medium): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Easy Appointments Easy Appointments…
CVE-2025-52897 — CVSS 6.5 (medium): GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious…
CVE-2025-39524 — CVSS 6.5 (medium): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in bPlugins Html5 Audio Player…
CVE-2025-31604 — CVSS 6.5 (medium): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cal.com Cal.com cal-com allows Stored…
CVE-2025-31075 — CVSS 6.5 (medium): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in videowhisper MicroPayments paid-membership…
CVE-2025-25363 — CVSS 6.5 (medium): An authenticated stored cross-site scripting (XSS) vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center (JEMH)…
CVE-2025-24678 — CVSS 6.5 (medium): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in listamester Listamester listamester allows…
CVE-2025-24673 — CVSS 6.5 (medium): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AyeCode Ketchup Shortcodes…
CVE-2023-49852 — CVSS 6.5 (medium): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Vsourz Digital Responsive Slick Slider…