CVEs classified under CWE-87, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (19)
CVE-2023-35158 — CVSS 9.6 (critical): XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL…
CVE-2025-54369: Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion…
CVE-2026-55237 — CVSS 8.8 (high): AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior…
CVE-2026-33510 — CVSS 8.8 (high): Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's…
CVE-2026-33506 — CVSS 8.8 (high): Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0…
CVE-2026-40321 — CVSS 8.0 (high): DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a…
CVE-2026-22711: Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site…
CVE-2025-14732 — CVSS 6.4 (medium): The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via…
CVE-2025-8561 — CVSS 6.4 (medium): The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and…
CVE-2024-4459 — CVSS 6.4 (medium): The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget's titles in…
CVE-2024-2618 — CVSS 6.4 (medium): The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the size attribute in all…
CVE-2024-3666 — CVSS 6.4 (medium): The Opal Estate Pro – Property Management and Submission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the agent…
CVE-2024-2750 — CVSS 6.4 (medium): The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of the Button…
CVE-2026-25688 — CVSS 6.1 (medium): Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0…
CVE-2026-45314 — CVSS 6.1 (medium): Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook…
CVE-2024-3519 — CVSS 6.1 (medium): The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the lang parameter in all versions up…
CVE-2026-42458: Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition…
CVE-2024-2657 — CVSS 4.4 (medium): The Font Farsi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including…
CVE-2023-6446 — CVSS 4.4 (medium): The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and…