Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10196 | 2025-10-02 | N/A | 6.4 MEDIUM | ||
|
The Survey Anyplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'surveyanyplace_embed' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-8777 | 2025-10-02 | N/A | 6.4 MEDIUM | ||
|
The planetcalc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘language’ parameter in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-10130 | 2025-10-02 | N/A | 6.4 MEDIUM | ||
|
The Layers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-9852 | 2025-10-02 | N/A | 6.4 MEDIUM | ||
|
The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-54476 | 2025-10-02 | N/A | N/A | ||
|
Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.
|
|||||
| CVE-2025-9075 | 2025-10-02 | N/A | 6.4 MEDIUM | ||
|
The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level ac ...
Show More |
|||||
| CVE-2025-40648 | 2025-10-02 | N/A | N/A | ||
|
Stored Cross-Site Scripting (XSS) vulnerability in Issabel v5.0.0, consisting of a stored XSS due to a lack of proper validation of user input, through the 'numero_conferencia' parameter in '/index.php?menu=conferencia'.
|
|||||
| CVE-2025-40647 | 2025-10-02 | N/A | N/A | ||
|
Stored Cross-Site Scripting (XSS) vulnerability in Issabel v5.0.0, consisting of a stored XSS due to a lack of proper validation of user input, through the 'email' parameter in '/index.php?menu=address_book'.
|
|||||
| CVE-2025-20361 | 2025-10-02 | N/A | 4.8 MEDIUM | ||
|
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting mali ...
Show More |
|||||
| CVE-2025-60991 | 2025-10-02 | N/A | 8.8 HIGH | ||
|
A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter.
|
|||||
| CVE-2024-57494 | 2025-10-02 | N/A | 6.5 MEDIUM | ||
|
Cross Site Scripting vulnerability in Neto E-Commerce CMS v.6.313.0 through v.6.3115 allows a remote attacker to escalate privileges via the kw parameter.
|
|||||
| CVE-2025-34182 | 2025-10-02 | N/A | N/A | ||
|
In Deciso OPNsense before 25.7.4, when creating an "Interfaces: Devices: Point-to-Point" entry, the value of the parameter ptpid is not sanitized of HTML-related characters/strings. This value is directly displayed when visiting the page/interfaces_assign.php, which can result in stored cross-site scripting. The attacker must be authenticated with at-least "Interfaces: PPPs: Edit" permission. This vulnerability has been addressed by the vendor in the product release notes as "ui: legacy_html_esc ...
Show More |
|||||
| CVE-2025-57393 | 2025-10-02 | N/A | 8.8 HIGH | ||
|
A stored cross-site scripting (XSS) in Kissflow Work Platform Kissflow Application Versions 7337 Account v2.0 to v4.2vallows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
|
|||||
| CVE-2025-40992 | 2025-10-02 | N/A | N/A | ||
|
Stored XSS vulnerability in Creativeitem Sociopro due to lack of proper validation of user inputs via the endpoint '/sociopro/profile/update_profile', affecting to 'name' parameter via POST. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her cookie session details.
|
|||||
| CVE-2025-57444 | 2025-10-02 | N/A | 6.1 MEDIUM | ||
|
An authenticated cross-site scripting (XSS) vulnerability in the Administrative interface of Radware AlteonOS Web UI Management v33.0.4.50 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Description parameter.
|
|||||
| CVE-2025-43484 | 1 Hp | 1 Poly Clariti Manager | 2025-10-02 | N/A | 6.1 MEDIUM |
|
A potential reflected cross-site scripting vulnerability has been
identified in the Poly Clariti Manager for versions prior to 10.12.1. The
website does not validate or sanitize the user input before rendering it in the
response. HP has addressed the issue in the latest software update.
|
|||||
| CVE-2025-43486 | 1 Hp | 1 Poly Clariti Manager | 2025-10-02 | N/A | 4.8 MEDIUM |
|
A potential stored cross-site scripting vulnerability has been
identified in the Poly Clariti Manager for versions prior to 10.12.1. The
website allows user input to be stored and rendered without proper
sanitization. HP has addressed the issue in the latest software update.
|
|||||
| CVE-2025-43488 | 1 Hp | 1 Poly Clariti Manager | 2025-10-02 | N/A | 4.8 MEDIUM |
|
A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could allow a bypass of the application's XSS filter by submitting untrusted characters. HP has addressed the issue in the latest software update.
|
|||||
| CVE-2024-41911 | 1 Hp | 1 Poly Clariti Manager | 2025-10-02 | N/A | 5.4 MEDIUM |
|
A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The flaw does not properly neutralize input during a web page generation.
|
|||||
| CVE-2024-41910 | 1 Hp | 1 Poly Clariti Manager | 2025-10-02 | N/A | 6.1 MEDIUM |
|
A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The firmware contained multiple XSS vulnerabilities in the version of JavaScript used.
|
|||||
| CVE-2024-55218 | 1 Icewarp | 1 Icewarp | 2025-10-02 | N/A | 6.1 MEDIUM |
|
IceWarp Server 10.2.1 is vulnerable to Cross Site Scripting (XSS) via the meta parameter.
|
|||||
| CVE-2025-2974 | 1 Perfexcrm | 1 Perfex Crm | 2025-10-02 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in CodeCanyon Perfex CRM up to 3.2.1 and classified as problematic. This vulnerability affects unknown code of the file /contract of the component Contracts. The manipulation of the argument content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3219 | 1 Perfexcrm | 1 Perfex Crm | 2025-10-02 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in CodeCanyon Perfex CRM 3.2.1. It has been classified as problematic. Affected is an unknown function of the file /perfex/clients/project/2 of the component Project Discussions Module. The manipulation of the argument description leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-49557 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-10-02 | N/A | 8.7 HIGH |
|
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must browse to the page c ...
Show More |
|||||
| CVE-2025-52559 | 1 Zulip | 1 Zulip Server | 2025-10-02 | N/A | 6.8 MEDIUM |
|
Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS) vulnerability in both topic names and channel names. This issue has been fixed in Zulip Server 10.4. A workaround for this issue involves denying access to /digest/.
|
|||||
| CVE-2024-20443 | 1 Cisco | 1 Identity Services Engine | 2025-10-02 | N/A | 5.4 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface.
This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code ...
Show More |
|||||
| CVE-2023-5578 | 1 Portabilis | 1 I-educar | 2025-10-02 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Portábilis i-Educar up to 2.7.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file \intranet\agenda_imprimir.php of the component HTTP GET Request Handler. The manipulation of the argument cod_agenda with the input ");'> <script>alert(document.cookie)</script> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identif ...
Show More |
|||||
| CVE-2024-2868 | 1 Hasthemes | 1 Shoplentor | 2025-10-02 | N/A | 6.4 MEDIUM |
|
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slitems parameter in the WL Special Day Offer Widget in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenev ...
Show More |
|||||
| CVE-2025-22598 | 1 Wegia | 1 Wegia | 2025-10-02 | N/A | 8.3 HIGH |
|
WeGIA is a web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the cadastrarSocio.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the local_recepcao parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.8.
|
|||||
| CVE-2025-22597 | 1 Wegia | 1 Wegia | 2025-10-02 | N/A | 8.3 HIGH |
|
WeGIA is a web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the CobrancaController.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the local_recepcao parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.8.
|
|||||
| CVE-2025-51531 | 1 Sagedpw | 1 Sage Dpw | 2025-10-01 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in Sage DPW 2024_12_004 and earlier allows attackers to execute arbitrary JavaScript in the context of a victim's browser via injecting a crafted payload into the tabfields parameter at /dpw/scripts/cgiip.exe/WService. The vendor has stated that the issue is fixed in 2025_06_000, released in June 2025.
|
|||||
| CVE-2024-48536 | 1 Esoftplanner | 1 Esoft Planner | 2025-10-01 | N/A | 7.5 HIGH |
|
Incorrect access control in eSoft Planner 3.24.08271-USA allow attackers to view all transactions performed by the company via supplying a crafted web request.
|
|||||
| CVE-2024-56882 | 1 Sagedpw | 1 Sage Dpw | 2025-10-01 | N/A | 5.4 MEDIUM |
|
Sage DPW before 2024_12_000 is vulnerable to Cross Site Scripting (XSS). Low-privileged Sage users with employee role privileges can permanently store JavaScript code in the Kurstitel and Kurzinfo input fields. The injected payload is executed for each authenticated user who views and interacts with the modified data elements.
|
|||||
| CVE-2024-51875 | 1 Mdc Youtube Downloader Project | 1 Mdc Youtube Downloader | 2025-10-01 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nazmul Ahsan MDC YouTube Downloader allows DOM-Based XSS.This issue affects MDC YouTube Downloader: from n/a through 3.0.0.
|
|||||
| CVE-2024-48531 | 1 Esoftplanner | 1 Esoft Planner | 2025-10-01 | N/A | 5.4 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability on the Rental Availability module of eSoft Planner 3.24.08271-USA allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
|
|||||
| CVE-2024-48534 | 1 Esoftplanner | 1 Esoft Planner | 2025-10-01 | N/A | 5.4 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability on the Camp Details module of eSoft Planner 3.24.08271-USA allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
|
|||||
| CVE-2024-48535 | 1 Esoftplanner | 1 Esoft Planner | 2025-10-01 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in eSoft Planner 3.24.08271-USA allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
|
|||||
| CVE-2025-5713 | 1 Isolucoesweb | 1 Solucoescoop | 2025-10-01 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SoluçõesCoop iSoluçõesWEB up to 20250519 and classified as problematic. Affected by this issue is some unknown functionality of the file /fluxos-dashboard of the component Flow Handler. The manipulation of the argument Descrição da solicitação leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
|
|||||
| CVE-2024-41502 | 1 Jetimob | 1 Imobiliaria | 2025-10-01 | N/A | 6.1 MEDIUM |
|
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) via the form field "Observaces" (observances) in the "Pessoas" (persons) section when creating or editing either a legal or a natural person.
|
|||||
| CVE-2024-41503 | 1 Jetimob | 1 Imobiliaria | 2025-10-01 | N/A | 6.1 MEDIUM |
|
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the field "Ttulo" (title) inside the filter Save option in the "Busca" (search) function.
|
|||||