Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62656 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki GlobalBlocking extension allows Stored XSS.This issue affects MediaWiki GlobalBlocking extension: 1.43, 1.44.
|
|||||
| CVE-2025-61456 | 2025-10-21 | N/A | 6.1 MEDIUM | ||
|
A Cross-Site Scripting (XSS) vulnerability exists in Bhabishya-123 E-commerce 1.0, specifically within the index endpoint. Unsanitized input in the /index parameter is directly reflected back into the response HTML, allowing attackers to execute arbitrary JavaScript in the browser of a user who visits a malicious link or submits a crafted request.
|
|||||
| CVE-2025-62662 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - AdvancedSearch Extension allows Stored XSS.This issue affects Mediawiki - AdvancedSearch Extension: from master before 1.39.
|
|||||
| CVE-2025-62657 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki PageForms extension allows Stored XSS.This issue affects MediaWiki PageForms extension: 1.44.
|
|||||
| CVE-2025-9562 | 2025-10-21 | N/A | 6.4 MEDIUM | ||
|
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's qs_date shortcode in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2020-36853 | 2025-10-21 | N/A | 7.2 HIGH | ||
|
The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-60507 | 2025-10-21 | N/A | 8.9 HIGH | ||
|
Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.
|
|||||
| CVE-2020-36854 | 2025-10-21 | N/A | 6.4 MEDIUM | ||
|
The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the aj_steps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it possible for authenticated attackers with subscriber level permissions and above to inject malicious web scripts into a page that execute whenever a user accesses that page.
|
|||||
| CVE-2025-62695 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Stored XSS.This issue affects Mediawiki - WikiLambda Extension: master.
|
|||||
| CVE-2025-61454 | 2025-10-21 | N/A | 6.1 MEDIUM | ||
|
A Cross-Site Scripting (XSS) vulnerability exists in Bhabishya-123 E-commerce 1.0, specifically within the search endpoint. Unsanitized input in the /search parameter is directly reflected back into the response HTML, allowing attackers to execute arbitrary JavaScript in the browser of a user who visits a malicious link or submits a crafted request.
|
|||||
| CVE-2025-62693 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - LastModified Extension allows Stored XSS.This issue affects Mediawiki - LastModified Extension: from master before 1.39.
|
|||||
| CVE-2025-62664 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ImageRating Extension allows Stored XSS.This issue affects Mediawiki - ImageRating Extension: from master before 1.39.
|
|||||
| CVE-2025-62670 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - FlexDiagrams Extension allows Stored XSS.This issue affects Mediawiki - FlexDiagrams Extension: master.
|
|||||
| CVE-2025-62701 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.
|
|||||
| CVE-2025-11937 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - SecurePoll Extension allows Stored XSS.This issue affects Mediawiki - SecurePoll Extension: master.
|
|||||
| CVE-2025-11945 | 2025-10-21 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-10612 | 2025-10-21 | N/A | 6.1 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in giSoft Information Technologies City Guide allows Reflected XSS.This issue affects City Guide: before 1.4.45.
|
|||||
| CVE-2025-62663 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - UploadWizard Extension allows Stored XSS.This issue affects Mediawiki - UploadWizard Extension: from master before 1.39.
|
|||||
| CVE-2025-62665 | 2025-10-21 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Skin:BlueSky allows Stored XSS.This issue affects Mediawiki - Skin:BlueSky: from master before 1.39.
|
|||||
| CVE-2024-27202 | 1 F5 | 21 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 18 more | 2025-10-21 | N/A | 4.7 MEDIUM |
|
A DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2024-38959 | 1 Creativeitem | 1 Academy Lms | 2025-10-21 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Creativeitem Academy LMS Learning Management System v.6.8.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the string parameter.
|
|||||
| CVE-2025-24320 | 1 F5 | 21 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 18 more | 2025-10-21 | N/A | 8.0 HIGH |
|
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability is due to an incomplete fix for CVE-2024-31156 https://my.f5.com/manage/s/article/K000138636 .
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2025-0277 | 1 Hcltech | 2 Bigfix Mobile, Bigfix Modern Client Management | 2025-10-21 | N/A | 6.5 MEDIUM |
|
HCL BigFix Mobile 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.
|
|||||
| CVE-2025-27259 | 1 Ericsson | 1 Network Manager | 2025-10-21 | N/A | 5.4 MEDIUM |
|
Ericsson Network Manager versions prior to ENM 25.2 GA contain a vulnerability that, if exploited, can exfiltrate limited data or redirect victims to other sites or domains.
|
|||||
| CVE-2025-2495 | 1 Sytel | 1 Softdial Contact Center | 2025-10-21 | N/A | 5.4 MEDIUM |
|
Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to upload XML files to the server with JavaScript code injected via the ‘/softdial/scheduler/save.php’ resource. The injected code will execute when the uploaded file is loaded via the ‘/softdial/scheduler/load.php’ resource and can redirect the victim to malicious sites or steal their login information to spoof their identity.
|
|||||
| CVE-2025-1742 | 1 Pihome | 1 Maxair | 2025-10-21 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in pihome-shc PiHome 2.0. Affected by this issue is some unknown functionality of the file /home.php. The manipulation of the argument page_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-41021 | 1 Sergestec | 1 Exito | 2025-10-21 | N/A | 5.4 MEDIUM |
|
Stored Cross-Site Scripting (XSS) in Sergestec's Exito v8.0, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'obs' parameter in '/admin/index.php?action=product_update'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
|
|||||
| CVE-2025-0276 | 1 Hcltech | 2 Bigfix Mobile, Bigfix Modern Client Management | 2025-10-21 | N/A | 6.5 MEDIUM |
|
HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.
|
|||||
| CVE-2025-61933 | 1 F5 | 1 Big-ip Access Policy Manager | 2025-10-21 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of BIG-IP APM that allows an attacker to run JavaScript in the context of the targeted logged-out user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2025-61539 | 1 Myupb | 1 Ultimate Php Board | 2025-10-21 | N/A | 6.1 MEDIUM |
|
Cross site scripting (XSS) vulnerability in Ultimate PHP Board 2.2.7 via the u_name parameter in lostpassword.php.
|
|||||
| CVE-2024-31156 | 1 F5 | 21 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 18 more | 2025-10-21 | N/A | 8.0 HIGH |
|
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2024-33604 | 1 F5 | 21 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 18 more | 2025-10-21 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability exist in undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
|
|||||
| CVE-2025-58351 | 1 Getoutline | 1 Outline | 2025-10-20 | N/A | 6.8 MEDIUM |
|
Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a ContentType bypass that might facilitate further attacks. In the case of self-hosting and using Outline FILE_STORAGE=local on the same domain as the Outline application, a malicious payload can be uploaded as a file attachment a ...
Show More |
|||||
| CVE-2025-59428 | 1 Espocrm | 1 Espocrm | 2025-10-20 | N/A | 5.4 MEDIUM |
|
EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page ...
Show More |
|||||
| CVE-2025-61597 | 1 Emlog | 1 Emlog | 2025-10-20 | N/A | 7.6 HIGH |
|
Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting (XSS) via the mail template settings. Once a malicious payload is saved, any subsequent visit to the settings page in an authenticated admin context will execute attacker‑controlled JavaScript, enabling session/token theft and full admin account takeover. This issue is fixed in version 2.5.22.
|
|||||
| CVE-2025-62365 | 1 Librenms | 1 Librenms | 2025-10-20 | N/A | 6.1 MEDIUM |
|
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to 25.7.0, there is a reflected-XSS in `report_this` function in `librenms/includes/functions.php`. The `report_this` function had improper filtering (`htmlentities` function was incorrectly use in a href environment), which caused the `project_issues` parameter to trigger an XSS vulnerability. This vulnerability is fixed in 25.7.0.
|
|||||
| CVE-2024-50849 | 1 Rws | 1 Worldserver | 2025-10-20 | N/A | 4.8 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability in the "Rules" functionality of WorldServer v11.8.2 allows a remote authenticated attacker to execute arbitrary JavaScript code.
|
|||||
| CVE-2025-62178 | 1 Wegia | 1 Wegia | 2025-10-20 | N/A | 3.5 LOW |
|
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /html/atendido/cadastro_atendido_parentesco_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the idatendido parameter. This vulnerability is fixed in 3.5.1.
|
|||||
| CVE-2025-62359 | 1 Wegia | 1 Wegia | 2025-10-20 | N/A | 6.1 MEDIUM |
|
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /pet/profile_pet.php?id_pet= endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_pet parameter. This vulnerability is fixed in 3.5.0.
|
|||||
| CVE-2025-62358 | 1 Wegia | 1 Wegia | 2025-10-20 | N/A | 5.4 MEDIUM |
|
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, the log parameter in configuracao_geral.php is vulnerable to Reflected Cross-Site Scripting (XSS). An attacker can inject arbitrary JavaScript, which executes in the victim’s browser. This vulnerability is fixed in 3.5.1.
|
|||||