MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | 描述 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|
| CVE-2026-12425 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user. | 5.7 | 0.26% | 2026-06-16 | 2026-06-16 |
| CVE-2024-30476 | PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. A remote authenticated low-privileged malicious actor could potentially exploit this vulnerability, it could lead to script execution in the client browser. | 5.4 | 0.20% | 2026-06-16 | 2026-06-16 |
| CVE-2026-54198 | Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions. | 7.1 | 0.15% | 2026-06-16 | 2026-06-16 |
| CVE-2026-54191 | Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions. | 7.1 | 0.15% | 2026-06-16 | 2026-06-16 |
| CVE-2026-39437 | Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions. | 7.1 | 0.14% | 2026-06-16 | 2026-06-16 |
| CVE-2026-10093 | The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | 0.24% | 2026-06-16 | 2026-06-16 |
| CVE-2026-48157 | Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present ev | 6.1 | 0.26% | 2026-06-15 | 2026-06-16 |
| CVE-2026-52702 | Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions. | 7.1 | 0.15% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49773 | Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions. | 6.5 | 0.17% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49055 | Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7 versions. | 7.1 | 0.18% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48966 | Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions. | 7.1 | 0.18% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48885 | Unauthenticated Cross Site Scripting (XSS) in HollerBox <= 2.3.10.1 versions. | 7.1 | 0.18% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48880 | Subscriber Cross Site Scripting (XSS) in WP Job Portal <= 2.5.2 versions. | 6.5 | 0.21% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48876 | Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions. | 7.1 | 0.18% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48871 | Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions. | 7.1 | 0.24% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48870 | Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions. | 6.5 | 0.21% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48867 | Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions. | 7.1 | 0.18% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48838 | Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions. | 7.1 | 0.28% | 2026-06-15 | 2026-06-15 |
| CVE-2026-45437 | Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions. | 7.1 | 0.18% | 2026-06-15 | 2026-06-15 |
| CVE-2026-42775 | Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.7.2 versions. | 7.1 | 0.18% | 2026-06-15 | 2026-06-15 |