Complete Responsive CMS Blog through 2018-05-20 has XSS via a comment.
CWE-79
CVE-2018-16786
DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php.
CVE-2018-16718
An XSS vulnerability exists in wwwblast.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox via a crafted -z1 argument.
CVE-2018-16725
An issue is discovered in baijiacms V4. XSS exists via the assets/weengine/components/zclip/ZeroClipboard.swf id parameter, aka “Non-standard use of the flash component.”
CVE-2018-16726
razorCMS 3.4.7 allows HTML injection via the description of the homepage within the settings component.
CVE-2018-16727
razorCMS 3.4.7 allows Stored XSS via the keywords of the homepage within the settings component.
