Explore CVEs related to XSS vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing XSS CVEs published in 2018. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2018-6333 | The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0. | 9.8 | 1.11% | 2018-12-31 | 2025-05-06 |
| CVE-2018-6341 | React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2. | 6.1 | 10.07% | 2018-12-31 | 2025-05-06 |
| CVE-2018-19918 | CuppaCMS has XSS via an SVG document uploaded to the administrator/#/component/table_manager/view/cu_views URI. | 5.4 | 0.19% | 2018-12-31 | 2025-05-06 |
| CVE-2018-19906 | Stored XSS exists in razorCMS 3.4.8 via the /#/page description parameter. | 5.4 | 0.19% | 2018-12-31 | 2025-05-06 |
| CVE-2018-19905 | HTML injection exists in razorCMS 3.4.8 via the /#/page keywords parameter. | 5.4 | 0.21% | 2018-12-31 | 2025-05-06 |
| CVE-2018-19904 | Persistent XSS exists in XSLT CMS via the create/?action=items.edit&type=Page "body" field. | 6.1 | 0.24% | 2018-12-31 | 2025-05-06 |
| CVE-2018-19903 | Persistent XSS exists in XSLT CMS via the create/?action=items.edit&type=Page title field. | 6.1 | 0.24% | 2018-12-31 | 2024-11-21 |
| CVE-2018-19902 | No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article "keyword" parameter. | 4.8 | 0.24% | 2018-12-31 | 2024-11-21 |
| CVE-2018-19901 | No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article/index/ "article_title" parameter. | 4.8 | 0.24% | 2018-12-31 | 2024-11-21 |
| CVE-2018-19845 | There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325. | 5.4 | 0.21% | 2018-12-31 | 2024-11-21 |
| CVE-2018-19844 | FROG CMS 0.9.5 has XSS via the admin/?/snippet/add name parameter, which is mishandled during an edit action, a related issue to CVE-2018-10319. | 4.8 | 0.24% | 2018-12-31 | 2024-11-21 |
| CVE-2018-20611 | imcat 4.4 allow XSS via a crafted cookie to the root/tools/adbug/binfo.php?cookie URI. | 6.1 | 0.21% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20601 | UCMS 1.4.7 has XSS via the description parameter in an index.php list_editpost action. | 4.8 | 0.24% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20600 | sadmin\cedit.php in UCMS 1.4.7 has XSS via an index.php sadmin_cedit action. | 6.1 | 0.24% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20597 | UCMS 1.4.7 has XSS via the dir parameter in an index.php sadmin_fileedit action. | 4.8 | 0.21% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20594 | An issue was discovered in hsweb 3.0.4. It is a reflected XSS vulnerability due to the absence of type parameter checking in FlowableModelManagerController.java. | 6.1 | 0.22% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20590 | Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/users.php user ID. | 4.8 | 0.24% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20589 | Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/add_pictures.php article ID. | 4.8 | 0.24% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20583 | Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writing javascript as javascri%0apt). | 6.1 | 0.34% | 2018-12-30 | 2024-11-21 |
| CVE-2018-16638 | Evolution CMS 1.4.x allows XSS via the manager/ search parameter. | 5.4 | 0.21% | 2018-12-28 | 2024-11-21 |