Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55420 | 1 Foxcms | 1 Foxcms | 2025-09-09 | N/A | 8.8 HIGH |
|
A Reflected Cross Site Scripting (XSS) vulnerability was found in /index.php in FoxCMS v1.2.6. When a crafted script is sent via a GET request, it is reflected unsanitized into the HTML response. This permits execution of arbitrary JavaScript code when a logged-in user submits the malicious input.
|
|||||
| CVE-2025-9717 | 1 Zoneland | 1 O2oa | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was identified in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_organization_assemble_control/jaxrs/unit/ of the component Personal Profile Page. Such manipulation of the argument name/shortName/distinguishedName/pinyin/pinyinInitial/levelName leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2025-9718 | 1 Zoneland | 1 O2oa | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
|
A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the n ...
Show More |
|||||
| CVE-2025-9719 | 1 Zoneland | 1 O2oa | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
|
A weakness has been identified in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_processplatform_assemble_designer/jaxrs/script of the component Personal Profile Page. Executing manipulation of the argument name/alias/description/applicationName can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2025-52217 | 1 Selectzero | 1 Selectzero | 2025-09-09 | N/A | 5.4 MEDIUM |
|
SelectZero Data Observability Platform before 2025.5.2 is vulnerable to HTML Injection. Legacy UI fields improperly handle user-supplied input, allowing injection of arbitrary HTML.
|
|||||
| CVE-2025-56432 | 1 Nagios | 1 Nagios Xi | 2025-09-09 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data.
|
|||||
| CVE-2025-52184 | 1 Helpy.io | 1 Helpy | 2025-09-09 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Helpy.io v.2.8.0 allows a remote attacker to escalate privileges via the New Topic Ticket funtion.
|
|||||
| CVE-2025-50976 | 1 Ipfire | 1 Ipfire | 2025-09-09 | N/A | 6.1 MEDIUM |
|
IPFire 2.29 DNS management interface (dns.cgi) fails to properly sanitize user-supplied input in the NAMESERVER, REMARK, and TLS_HOSTNAME query parameters, resulting in a reflected cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2025-50975 | 1 Ipfire | 1 Ipfire | 2025-09-09 | N/A | 5.4 MEDIUM |
|
IPFire 2.29 web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr, allowing an authenticated administrator to inject persistent JavaScript. This stored XSS payload is executed whenever another admin views the firewall rules page, enabling session hijacking, unauthorized actions within the interface, or further internal pivoting. Exploitation requires only high-privileg ...
Show More |
|||||
| CVE-2025-50985 | 1 Diskoverdata | 1 Diskover | 2025-09-09 | N/A | 5.6 MEDIUM |
|
diskover-web v2.3.0 Community Edition is vulnerable to multiple reflected cross-site scripting (XSS) flaws in its web interface. Unsanitized GET parameters including maxage, maxindex, index, path, q (query), and doctype are directly echoed into the HTML response, allowing attackers to inject and execute arbitrary JavaScript when a victim visits a maliciously crafted URL.
|
|||||
| CVE-2025-50986 | 1 Diskoverdata | 1 Diskover | 2025-09-09 | N/A | 5.6 MEDIUM |
|
diskover-web v2.3.0 Community Edition suffers from multiple stored cross-site scripting (XSS) vulnerabilities in its administrative settings interface. Various configuration fields such as ES_HOST, ES_INDEXREFRESH, ES_PORT, ES_SCROLLSIZE, ES_TRANSLOGSIZE, ES_TRANSLOGSYNCINT, EXCLUDES_FILES, FILE_TYPES[], INCLUDES_DIRS, INCLUDES_FILES, and TIMEZONE do not properly sanitize user-supplied input. Malicious payloads submitted via these parameters are persisted in the application and executed whenever ...
Show More |
|||||
| CVE-2025-50978 | 1 Gitblit | 1 Gitblit | 2025-09-09 | N/A | 6.1 MEDIUM |
|
In Gitblit v1.7.1, a reflected cross-site scripting (XSS) vulnerability exists in the way repository path names are handled. By injecting a specially crafted path payload an attacker can cause arbitrary JavaScript to execute when a victim views the manipulated URL. This flaw stems from insufficient input sanitization of filename elements.
|
|||||
| CVE-2025-30875 | 2025-09-09 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexandre Froger WP Weixin allows Stored XSS. This issue affects WP Weixin: from n/a through 1.3.16.
|
|||||
| CVE-2025-50977 | 1 Gitblit | 1 Gitblit | 2025-09-09 | N/A | 6.1 MEDIUM |
|
A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the summary endpoint as well as POST requests to specific Wicket interface endpoints, though the GET me ...
Show More |
|||||
| CVE-2025-51967 | 1 Oranbyte | 1 School Management System | 2025-09-09 | N/A | 6.1 MEDIUM |
|
A Reflected Cross-site Scripting (XSS) vulnerability exists in the themeSet.php file of ProjectsAndPrograms School Management System 1.0. The application fails to sanitize user-supplied input in the theme POST parameter, allowing an attacker to inject and execute arbitrary JavaScript in a victim's browser.
|
|||||
| CVE-2025-56236 | 1 Formcms | 1 Formcms | 2025-09-09 | N/A | 6.1 MEDIUM |
|
FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible via a public URL. When a privileged user accesses the file, the script executes in their browser context.
|
|||||
| CVE-2025-56761 | 1 Usememos | 1 Memos | 2025-09-09 | N/A | 5.4 MEDIUM |
|
Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.
|
|||||
| CVE-2025-20280 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2025-09-09 | N/A | 4.8 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific d ...
Show More |
|||||
| CVE-2025-10065 | 1 Facebook-kimmymatillano | 1 Point Of Sale System | 2025-09-09 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A weakness has been identified in itsourcecode POS Point of Sale System 1.0. Impacted is an unknown function of the file /inventory/main/vendors/datatables/unit_testing/templates/dom_data_th.php. This manipulation of the argument scripts causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2025-10066 | 1 Facebook-kimmymatillano | 1 Point Of Sale System | 2025-09-09 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A security vulnerability has been detected in itsourcecode POS Point of Sale System 1.0. The affected element is an unknown function of the file /inventory/main/vendors/datatables/unit_testing/templates/dymanic_table.php. Such manipulation of the argument scripts leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2025-10067 | 1 Facebook-kimmymatillano | 1 Point Of Sale System | 2025-09-09 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was detected in itsourcecode POS Point of Sale System 1.0. The impacted element is an unknown function of the file /inventory/main/vendors/datatables/unit_testing/templates/empty_table.php. Performing manipulation of the argument scripts results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-42938 | 2025-09-09 | N/A | 6.1 MEDIUM | ||
|
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s page generation, resulting in the creation of malicious content. When executed, this content allows the attacker to access or modify information within the victim's browser scope, impacting the confidentiality and integrit ...
Show More |
|||||
| CVE-2025-9058 | 2025-09-09 | N/A | 6.4 MEDIUM | ||
|
The Mikado Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-9061 | 2025-09-09 | N/A | 6.4 MEDIUM | ||
|
The Wilmer Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-58746 | 2025-09-09 | N/A | 9.0 CRITICAL | ||
|
The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and perform arbitrary administrative actions. This is possible because the plugin allows arbitrary JavaScript code injection in the [Layout] → [Link] → [URL] field. Version 2.4.0 contains a fix for the issue.
|
|||||
| CVE-2025-55944 | 1 Slinkapp | 1 Slink | 2025-09-09 | N/A | 6.1 MEDIUM |
|
Slink v1.4.9 allows stored cross-site scripting (XSS) via crafted SVG uploads. When a user views the shared image in a new browser tab, the embedded JavaScript executes. The issue affects both authenticated and unauthenticated users.
|
|||||
| CVE-2025-10075 | 1 Razormist | 1 Online Polling System | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
|
A security flaw has been discovered in SourceCodester Online Polling System 1.0. The impacted element is an unknown function of the file /manage-profile.php. The manipulation of the argument firstname results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
|
|||||
| CVE-2025-10074 | 1 Portabilis | 1 I-educar | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was identified in Portabilis i-Educar up to 2.10. The affected element is an unknown function of the file /usuarios/tipos/. The manipulation of the argument Tipos de Usuário/Descrição leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2025-9922 | 1 Campcodes | 1 Sales And Inventory System | 2025-09-09 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A security vulnerability has been detected in Campcodes Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php. Such manipulation of the argument page leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2025-9921 | 1 Code-projects | 1 Pos Pharmacy System | 2025-09-09 | 3.3 LOW | 2.4 LOW |
|
A weakness has been identified in code-projects POS Pharmacy System 1.0. Affected is an unknown function of the file /main/products.php. This manipulation of the argument product_code/gen_name/product_name/supplier causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2025-55422 | 1 Foxcms | 1 Foxcms | 2025-09-09 | N/A | 8.8 HIGH |
|
In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus.
|
|||||
| CVE-2025-55618 | 1 Hyundai | 1 Navigation | 2025-09-09 | N/A | 7.3 HIGH |
|
In Hyundai Navigation App STD5W.EUR.HMC.230516.afa908d, an attacker can inject HTML payloads in the profile name field in navigation app which then get rendered.
|
|||||
| CVE-2025-34521 | 1 Arcserve | 1 Udp | 2025-09-09 | N/A | 5.4 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by another user, execute arbitrary JavaScript in the victim’s browser. Successful exploitation may lead to session hijacking, credential theft, or other client-side impacts. The vulnerability requires u ...
Show More |
|||||
| CVE-2025-55579 | 1 Solidinvoice | 1 Solidinvoice | 2025-09-09 | N/A | 5.4 MEDIUM |
|
SolidInvoice version 2.3.7 is vulnerable to a Stored Cross-Site Scripting (XSS) issue in the Tax Rates functionality. The vulnerability is fixed in version 2.3.8.
|
|||||
| CVE-2025-55580 | 1 Solidinvoice | 1 Solidinvoice | 2025-09-09 | N/A | 5.4 MEDIUM |
|
SolidInvoice version 2.3.7 is vulnerable to a stored cross-site scripting (XSS) issue in the Clients module. An authenticated attacker can inject JavaScript that executes in other users' browsers when the Clients page is viewed. The vulnerability is fixed in version 2.3.8.
|
|||||
| CVE-2025-23207 | 1 Katex | 1 Katex | 2025-09-08 | N/A | 6.3 MEDIUM |
|
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands, forbid inputs containing the subst ...
Show More |
|||||
| CVE-2025-10088 | 1 Rems | 1 Personal Time Tracker | 2025-09-08 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was detected in SourceCodester Time Tracker 1.0. The affected element is an unknown function of the file /index.html. Performing manipulation of the argument project-name results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-55175 | 1 Opensolution | 1 Quick.cms | 2025-09-08 | N/A | 6.1 MEDIUM |
|
QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
|
|||||
| CVE-2025-54544 | 1 Opensolution | 1 Quick.cms | 2025-09-08 | N/A | 4.8 MEDIUM |
|
QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirme ...
Show More |
|||||
| CVE-2025-54172 | 1 Opensolution | 1 Quick.cms | 2025-09-08 | N/A | 4.8 MEDIUM |
|
QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any JS scripts into the page.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, ...
Show More |
|||||