Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-56795 | 1 Mealie | 1 Mealie | 2025-10-16 | N/A | 9.0 CRITICAL |
|
Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS.
|
|||||
| CVE-2025-60308 | 1 Fabian | 1 Simple Online Hotel Reservation System | 2025-10-16 | N/A | 4.1 MEDIUM |
|
code-projects Simple Online Hotel Reservation System 1.0 has a Cross Site Scripting (XSS) vulnerability in the Add Room function of the online hotel reservation system. Malicious JavaScript code is entered in the Description field, which can leak the administrator's cookie information when browsing this room information
|
|||||
| CVE-2025-45585 | 1 Audi | 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware | 2025-10-16 | N/A | 5.4 MEDIUM |
|
Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the wifi_sta_ssid or wifi_ap_ssid parameters.
|
|||||
| CVE-2025-60374 | 2025-10-16 | N/A | 6.1 MEDIUM | ||
|
Stored Cross-Site Scripting (XSS) in Perfex CRM chatbot before 3.3.1 allows attackers to inject arbitrary HTML/JavaScript. The payload is executed in the browsers of users viewing the chat, resulting in client-side code execution, potential session token theft, and other malicious actions. A different vulnerability than CVE-2024-8867.
|
|||||
| CVE-2025-10132 | 2025-10-16 | N/A | 6.4 MEDIUM | ||
|
The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-54859 | 2025-10-16 | N/A | 4.8 MEDIUM | ||
|
Stored cross-site scripting (XSS) vulnerability in desknet's NEO V9.0R2.0 and earlier allow execution of arbitrary JavaScript in a user’s web browser.
|
|||||
| CVE-2025-53858 | 2025-10-16 | N/A | 5.4 MEDIUM | ||
|
ChatLuck contains a cross-site scripting vulnerability in Chat Rooms. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing the product.
|
|||||
| CVE-2025-10135 | 2025-10-16 | N/A | 6.4 MEDIUM | ||
|
The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-58115 | 2025-10-16 | N/A | 6.1 MEDIUM | ||
|
ChatLuck contains a cross-site scripting vulnerability in Guest User Sign-up. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing the product.
|
|||||
| CVE-2025-10139 | 2025-10-16 | N/A | 6.4 MEDIUM | ||
|
The WP BookWidgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bw_link' shortcode in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-54760 | 2025-10-16 | N/A | 5.4 MEDIUM | ||
|
Stored cross-site scripting (XSS) vulnerability in desknet's NEO V9.0R2.0 and earlier allow execution of arbitrary JavaScript in a user’s web browser.
|
|||||
| CVE-2025-55072 | 2025-10-16 | N/A | 5.4 MEDIUM | ||
|
Stored cross-site scripting (XSS) vulnerability in desknet's NEO V2.0R1.0 to V9.0R2.0 allow execution of arbitrary JavaScript in a user’s web browser.
|
|||||
| CVE-2025-10140 | 2025-10-16 | N/A | 6.4 MEDIUM | ||
|
The Quick Social Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quick-login' shortcode in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-10194 | 2025-10-16 | N/A | 6.4 MEDIUM | ||
|
The Shortcode Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-10141 | 2025-10-16 | N/A | 6.4 MEDIUM | ||
|
The Digiseller plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ds' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-11814 | 2025-10-16 | N/A | 6.4 MEDIUM | ||
|
The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-24833 | 2025-10-16 | N/A | 5.4 MEDIUM | ||
|
Stored cross-site scripting (XSS) vulnerability in desknet's NEO versions V4.0R1.0–V9.0R2.0 allow execution of arbitrary JavaScript in a user’s web browser.
|
|||||
| CVE-2025-10133 | 2025-10-16 | N/A | 6.4 MEDIUM | ||
|
The URLYar URL Shortner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'urlyar_shortlink' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-62380 | 2025-10-16 | N/A | N/A | ||
|
mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with the generatePlaintext method when user generated content is supplied. The plaintext generation code attempts to strip HTML tags using a regular expression and then decodes HTML entities, but tags that include certain Unicode line separator characters are not matched and removed. These encoded ...
Show More |
|||||
| CVE-2025-52583 | 2025-10-16 | N/A | 6.1 MEDIUM | ||
|
Reflected cross-site scripting (XSS) vulnerability in desknet's Web Server allows execution of arbitrary JavaScript in a user’s web browser.
|
|||||
| CVE-2025-10367 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2025-10-16 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this vulnerability is an unknown functionality of the file /htdocs/cardEdit.php. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-60304 | 1 Fabian | 1 Simple Scheduling System | 2025-10-16 | N/A | 6.1 MEDIUM |
|
code-projects Simple Scheduling System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Subject Description field.
|
|||||
| CVE-2025-10368 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2025-10-16 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this issue is some unknown functionality of the file /htdocs/manageFilesFolders.php. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-10369 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2025-10-16 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was determined in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This affects an unknown part of the file /htdocs/cardRegisterNew.php. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-40772 | 1 Siemens | 1 Sipass Integrated | 2025-10-16 | N/A | 7.4 HIGH |
|
A vulnerability has been identified in SiPass integrated (All versions < V3.0). Affected server applications are vulnerable to stored Cross-Site Scripting (XSS), allowing an attacker to inject malicious code that can be executed by other users when they visit the affected page.
Successful exploitation allows an attacker to impersonate other users within the application and steal their session data. This could enable unauthorized access to accounts and potentially lead to privilege escalation.
|
|||||
| CVE-2024-13902 | 1 Huang-yk | 1 Student-manage | 2025-10-15 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in huang-yk student-manage 1.0. This affects an unknown part of the component Edit a Student Information Page. The manipulation of the argument Class leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-13213 | 1 Singmr | 1 Houserent | 2025-10-15 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in SingMR HouseRent 1.0. This vulnerability affects unknown code of the file /toAdminUpdateHousePage?hID=30. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-56515 | 1 Suisuijiang | 1 Fiora | 2025-10-15 | N/A | 8.8 HIGH |
|
File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected p ...
Show More |
|||||
| CVE-2025-56243 | 1 Puneethreddyhc | 1 Event Management System | 2025-10-15 | N/A | 6.1 MEDIUM |
|
A Cross-Site Scripting (XSS) vulnerability was found in the register.php page of PuneethReddyHC Event Management System 1.0, where the event_id GET parameter is improperly handled. An attacker can craft a malicious URL to execute arbitrary JavaScript in the victim s browser by injecting code into this parameter.
|
|||||
| CVE-2025-56382 | 1 Lion-coders | 1 Salepro Pos | 2025-10-15 | N/A | 6.1 MEDIUM |
|
A stored Cross-site scripting (XSS) vulnerability exists in the Customer Management Module of LionCoders SalePro POS 5.4.8. An authenticated attacker can inject arbitrary web script or HTML via the 'Customer Name' parameter when creating or editing customer profiles. This malicious input is improperly sanitized before storage and subsequent rendering, leading to script execution in the browsers of users who view the affected customer details.
|
|||||
| CVE-2025-46545 | 1 Sherparpa | 1 Sherpa Orchestrator | 2025-10-15 | N/A | 4.4 MEDIUM |
|
In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.
|
|||||
| CVE-2024-1146 | 1 Alma | 1 Alma Blog | 2025-10-15 | N/A | 5.8 MEDIUM |
|
Cross-Site Scripting vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an attacker to store a malicious JavaScript payload within the application by adding the payload to 'Community Description' or 'Community Rules'.
|
|||||
| CVE-2024-2726 | 1 Atisoluciones | 1 Ciges | 2025-10-15 | N/A | 6.1 MEDIUM |
|
Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.
|
|||||
| CVE-2024-2727 | 1 Atisoluciones | 1 Ciges | 2025-10-15 | N/A | 6.1 MEDIUM |
|
HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.
|
|||||
| CVE-2025-2868 | 1 Oretnom23 | 1 Clinic Queuing System | 2025-10-15 | N/A | 6.1 MEDIUM |
|
Reflected Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Clinic Queuing System. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the page parameter in /index.php.
|
|||||
| CVE-2025-2869 | 1 Oretnom23 | 1 Clinic Queuing System | 2025-10-15 | N/A | 6.1 MEDIUM |
|
Reflected Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Clinic Queuing System. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the id parameter in /manage_user.php.
|
|||||
| CVE-2025-2870 | 1 Oretnom23 | 1 Clinic Queuing System | 2025-10-15 | N/A | 6.1 MEDIUM |
|
Reflected Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Clinic Queuing System. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the page parameter in /patient_side.php.
|
|||||
| CVE-2025-1082 | 1 Mindskip | 1 Xzs-mysql | 2025-10-15 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected is an unknown function of the file /api/admin/question/edit of the component Exam Edit Handler. The manipulation of the argument title/content leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-3665 | 1 Rankmath | 1 Seo | 2025-10-15 | N/A | 6.4 MEDIUM |
|
The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-4336 | 1 Adive | 1 Framework | 2025-10-15 | N/A | 7.6 HIGH |
|
Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/tables/add, in multiple parameters. An attacker could retrieve the session details of an authenticated user.
|
|||||