Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-45960 | 1 Tawk | 1 Tawk.to | 2025-10-14 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in tawk.to Live Chat v.1.6.1 allows a remote attacker to execute arbitrary code via the web application stores and displays user-supplied input without proper input validation or encoding
|
|||||
| CVE-2025-9723 | 1 Portabilis | 1 I-educar | 2025-10-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Portabilis i-Educar up to 2.10. This affects an unknown function of the file /intranet/educar_tipo_regime_cad.php. Performing manipulation of the argument nm_tipo results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used.
|
|||||
| CVE-2025-9722 | 1 Portabilis | 1 I-educar | 2025-10-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in Portabilis i-Educar up to 2.10. The impacted element is an unknown function of the file /intranet/educar_tipo_ocorrencia_disciplinar_cad.php. Such manipulation of the argument nm_tipo/descricao leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-9721 | 1 Portabilis | 1 I-educar | 2025-10-13 | 4.0 MEDIUM | 3.5 LOW |
|
A flaw has been found in Portabilis i-Educar up to 2.10. The affected element is an unknown function of the file /module/FormulaMedia/edit. This manipulation of the argument nome/formulaMedia causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used.
|
|||||
| CVE-2025-9720 | 1 Portabilis | 1 I-educar | 2025-10-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was detected in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/TabelaArredondamento/edit of the component Cadastrar tabela de arredondamento Page. The manipulation of the argument Nome results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used.
|
|||||
| CVE-2025-58430 | 1 Nadh | 1 Listmonk | 2025-10-10 | N/A | 6.1 MEDIUM |
|
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can re ...
Show More |
|||||
| CVE-2025-25191 | 1 Group-office | 1 Group Office | 2025-10-10 | N/A | 5.4 MEDIUM |
|
Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100.
|
|||||
| CVE-2024-4993 | 1 Ansanwan | 1 Siadmin | 2025-10-10 | N/A | 6.3 MEDIUM |
|
Vulnerability in SiAdmin 1.1 that allows XSS via the /show.php query parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and thereby steal their cookie session credentials.
|
|||||
| CVE-2024-5413 | 1 Phpmybackuppro | 1 Phpmybackuppro | 2025-10-10 | N/A | 7.1 HIGH |
|
A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/scheduled.php, all parameters. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details.
|
|||||
| CVE-2024-5414 | 1 Phpmybackuppro | 1 Phpmybackuppro | 2025-10-10 | N/A | 7.1 HIGH |
|
A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/get_file.php, 'view' parameter. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details.
|
|||||
| CVE-2024-5415 | 1 Phpmybackuppro | 1 Phpmybackuppro | 2025-10-10 | N/A | 7.1 HIGH |
|
A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/backup.php, 'comments' and 'db' parameters. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details.
|
|||||
| CVE-2025-45938 | 1 Akeles | 1 Out Of Office Assistant | 2025-10-10 | N/A | 5.4 MEDIUM |
|
Akeles Out of Office Assistant for Jira 4.0.1 is vulberable to Cross Site Scripting (XSS) via the Jira fullName parameter.
|
|||||
| CVE-2025-0400 | 1 Starsea99 | 1 Starsea-mall | 2025-10-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in StarSea99 starsea-mall 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/categories/update. The manipulation of the argument categoryName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-2352 | 1 Starsea99 | 1 Starsea-mall | 2025-10-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, has been found in StarSea99 starsea-mall 1.0. This issue affects some unknown processing of the file /admin/indexConfigs/save of the component Backend. The manipulation of the argument categoryName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. ...
Show More |
|||||
| CVE-2025-34172 | 1 Pfsense | 1 Pfsense | 2025-10-10 | N/A | 6.1 MEDIUM |
|
In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.
|
|||||
| CVE-2025-34174 | 1 Pfsense | 1 Pfsense | 2025-10-10 | N/A | 5.4 MEDIUM |
|
In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.
|
|||||
| CVE-2025-34175 | 1 Pfsense | 1 Pfsense | 2025-10-10 | N/A | 6.1 MEDIUM |
|
In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated.
|
|||||
| CVE-2025-34177 | 1 Pfsense | 1 Pfsense | 2025-10-10 | N/A | 5.4 MEDIUM |
|
In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
|
|||||
| CVE-2025-34178 | 1 Pfsense | 1 Pfsense | 2025-10-10 | N/A | 5.4 MEDIUM |
|
In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
|
|||||
| CVE-2025-5879 | 1 72crm | 1 Wukong Crm | 2025-10-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in WuKongOpenSource WukongCRM 9.0. This affects an unknown part of the file AdminSysConfigController.java of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-4495 | 1 Jadmin-java | 1 Jadmin | 2025-10-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in JAdmin-JAVA JAdmin 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /memoAjax/save. The manipulation of the argument ID leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-2536 | 1 Rankmath | 1 Seo | 2025-10-10 | N/A | 6.4 MEDIUM |
|
The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13143 | 1 Zerowdd | 1 Studentmanager | 2025-10-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in ZeroWdd studentmanager 1.0. It has been rated as problematic. This issue affects the function submitAddPermission of the file src/main/java/com/zero/system/controller/PermissionController. java. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
|
|||||
| CVE-2023-34423 | 1 Ays-pro | 1 Survey Maker | 2025-10-10 | N/A | 6.1 MEDIUM |
|
Survey Maker prior to 3.6.4 contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product with the administrative privilege.
|
|||||
| CVE-2025-3554 | 1 Phpshe | 1 Phpshe | 2025-10-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in phpshe 1.8. It has been rated as problematic. This issue affects some unknown processing of the file api.php?mod=cron&act=buyer. The manipulation of the argument act leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3560 | 1 Ghostxbh | 1 Uzy-ssm-mall | 2025-10-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in ghostxbh uzy-ssm-mall 1.0.0 and classified as problematic. This issue affects some unknown processing of the file /product. The manipulation of the argument product_name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-3591 | 1 Zhenfeng13 | 1 My-blog-layui | 2025-10-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in ZHENFENG13/code-projects My-Blog-layui 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/v1/blog/edit. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Multiple parameters might be affected. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-3592 | 1 Zhenfeng13 | 1 My-blog-layui | 2025-10-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in ZHENFENG13/code-projects My-Blog-layui 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/v1/link/edit. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Multiple parameters might be affected. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-11512 | 1 Fabian | 1 Voting System | 2025-10-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in code-projects Voting System 1.0. Affected by this issue is some unknown functionality of the file /admin/voters_add.php. The manipulation of the argument Firstname/Lastname/Platform results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used.
|
|||||
| CVE-2025-60958 | 1 Endruntechnologies | 2 Sonoma D12, Sonoma D12 Firmware | 2025-10-10 | N/A | 7.3 HIGH |
|
Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information.
|
|||||
| CVE-2025-60961 | 1 Endruntechnologies | 2 Sonoma D12, Sonoma D12 Firmware | 2025-10-10 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information, and possibly other unspecified impacts.
|
|||||
| CVE-2025-2864 | 1 Arteche | 2 Satech Bcu, Satech Bcu Firmware | 2025-10-10 | N/A | 6.1 MEDIUM |
|
SaTECH BCU in its firmware version 2.1.3 allows an attacker to inject malicious code into the legitimate website owning the affected device, once the cookie is set. This attack only impacts the victim's browser (reflected XSS).
|
|||||
| CVE-2025-60445 | 1 Xunruicms | 1 Xunruicms | 2025-10-10 | N/A | 6.1 MEDIUM |
|
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in XunRuiCMS version 4.7.1. The vulnerability exists due to insufficient validation of SVG file uploads in the dayrui/Fcms/Library/Upload.php component, allowing attackers to inject malicious JavaScript code that executes when the uploaded file is viewed.
|
|||||
| CVE-2025-2865 | 1 Arteche | 2 Satech Bcu, Satech Bcu Firmware | 2025-10-10 | N/A | 6.1 MEDIUM |
|
SaTECH BCU, in its firmware version 2.1.3, could allow XSS attacks and other malicious resources to be stored on the web server. An attacker with some knowledge of the web application could send a malicious request to the victim users. Through this request, the victims would interpret the code (resources) stored on another malicious website owned by the attacker.
|
|||||
| CVE-2025-60298 | 1 Xxyopen | 1 Novel-plus | 2025-10-10 | N/A | 5.4 MEDIUM |
|
Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored in the database and executed when other users view the affected book chapter.
|
|||||
| CVE-2025-60299 | 1 Xxyopen | 1 Novel-plus | 2025-10-10 | N/A | 5.4 MEDIUM |
|
Novel-Plus with 5.2.0 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /book/addCommentReply endpoint. An authenticated user can inject malicious JavaScript through the replyContent parameter when replying to a book comment. The payload is stored in the database and is executed in other users’ browsers when they view the affected comment thread.
|
|||||
| CVE-2025-60314 | 1 Configuroweb | 1 Simple Web Inventory System | 2025-10-10 | N/A | 5.4 MEDIUM |
|
Configuroweb Sistema Web de Inventario 1.0 is vulnerable to a Stored Cross-Site Scripting (XSS) due to the lack of input sanitization on the product name parameter (Nombre:Producto) allowing an authenticated attacker to inject malicious payloads and execute arbitrary JavaScript.
|
|||||
| CVE-2025-60312 | 1 Rems | 1 Markdown To Html Converter | 2025-10-10 | N/A | 6.1 MEDIUM |
|
Sourcecodester Markdown to HTML Converter v1.0 is vulnerable to a Cross-Site Scripting (XSS) in the "Markdown Input" field, allowing a remote attacker to inject arbitrary HTML/JavaScript code that executes in the victim's browser upon clicking the "Convert to HTML" button.
|
|||||
| CVE-2025-60967 | 1 Endruntechnologies | 2 Sonoma D12, Sonoma D12 Firmware | 2025-10-10 | N/A | 7.3 HIGH |
|
Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0076-000 Ver 4.00 allows attackers to gain sensitive information.
|
|||||
| CVE-2024-40626 | 1 Getoutline | 1 Outline | 2025-10-10 | N/A | 7.3 HIGH |
|
Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting (XSS) vulnerability in Outline. An authenticated user can create a document containing a malicious JavaScript payload. When other users view this document, the malicious Javascript can execute in the origin of Outline. Outline includes CSP rules to prevent third-party code execution, however in the case of self-hosting and havin ...
Show More |
|||||