Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55209 | 2025-09-05 | N/A | N/A | ||
|
contactmanager is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions 15.0.14 and below, 16.0.0 through 16.0.26.4 and 17.0.0 through 17.0.5, a stored cross-site scripting (XSS) vulnerability in FreePBX allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, leading to session hijacking a ...
Show More |
|||||
| CVE-2025-58821 | 2025-09-05 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdever WP Notification Bell allows Stored XSS. This issue affects WP Notification Bell: from n/a through 1.4.5.
|
|||||
| CVE-2025-58870 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DeBAAT WP-GraphViz allows DOM-Based XSS. This issue affects WP-GraphViz: from n/a through 1.5.1.
|
|||||
| CVE-2025-58880 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in reubenthiessen Translate This gTranslate Shortcode allows Stored XSS. This issue affects Translate This gTranslate Shortcode: from n/a through 1.0.
|
|||||
| CVE-2025-58863 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SdeWijs Zoomify embed for WP allows Stored XSS. This issue affects Zoomify embed for WP: from n/a through 1.5.2.
|
|||||
| CVE-2025-58784 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft ARI Fancy Lightbox allows Stored XSS. This issue affects ARI Fancy Lightbox: from n/a through 1.4.0.
|
|||||
| CVE-2025-58822 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail allows DOM-Based XSS. This issue affects WP Mail: from n/a through 1.3.
|
|||||
| CVE-2025-58834 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gugu short.io allows DOM-Based XSS. This issue affects short.io: from n/a through 2.4.0.
|
|||||
| CVE-2025-58838 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zakir Smooth Accordion allows Stored XSS. This issue affects Smooth Accordion: from n/a through 2.1.
|
|||||
| CVE-2025-58862 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in George Sexton WordPress Events Calendar Plugin – connectDaily allows Stored XSS. This issue affects WordPress Events Calendar Plugin – connectDaily: from n/a through 1.5.3.
|
|||||
| CVE-2025-58882 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in w1zzard Simple Text Slider allows Stored XSS. This issue affects Simple Text Slider: from n/a through 1.0.5.
|
|||||
| CVE-2025-58883 | 2025-09-05 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thomas Harris Search Cloud One allows Stored XSS. This issue affects Search Cloud One: from n/a through 2.2.5.
|
|||||
| CVE-2025-9834 | 1 Phpgurukul | 1 Small Crm | 2025-09-05 | 4.0 MEDIUM | 3.5 LOW |
|
A flaw has been found in PHPGurukul Small CRM 4.0. Affected by this issue is some unknown functionality of the file /registration.php. Executing manipulation of the argument Username can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.
|
|||||
| CVE-2024-39272 | 1 Clear | 1 Clearml Enterprise Server | 2025-09-05 | N/A | 9.0 CRITICAL |
|
A cross-site scripting (xss) vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to an arbitrary html code. An attacker can send a series of HTTP requests to trigger this vulnerability.
|
|||||
| CVE-2024-39923 | 1 Mahara | 1 Mahara | 2025-09-05 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person.
|
|||||
| CVE-2024-45753 | 1 Mahara | 1 Mahara | 2025-09-05 | N/A | 6.1 MEDIUM |
|
In Mahara 23.04.8 and 24.04.4, the external RSS feed block can cause XSS if the external feed XML has a malicious value for the link attribute.
|
|||||
| CVE-2024-35203 | 1 Mahara | 1 Mahara | 2025-09-05 | N/A | 6.1 MEDIUM |
|
Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara filebrowser system.
|
|||||
| CVE-2024-13308 | 1 Browser Back Button Project | 1 Browser Back Button | 2025-09-05 | N/A | 3.8 LOW |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Browser Back Button allows Cross-Site Scripting (XSS).This issue affects Browser Back Button: from 1.0.0 before 2.0.2.
|
|||||
| CVE-2024-54138 | 1 Microsoft | 1 Nugetgallery | 2025-09-05 | N/A | 6.1 MEDIUM |
|
NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. This vulnerability is fixed in 2024.12.06.
|
|||||
| CVE-2025-55107 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
There is a stored
Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites
versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to
inject malicious a file with an embedded xss script which when loaded could
potentially execute arbitrary JavaScript code in the victim’s browser. The
privileges required to execute this attack are high. The attack could
disclose a privileged token which may result in the attacker gaining full
control of the Portal ...
Show More |
|||||
| CVE-2025-55106 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
|
|||||
| CVE-2025-55105 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
|
|||||
| CVE-2025-55104 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied JavaScript may execute in the victim's browser.
|
|||||
| CVE-2025-55103 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
|
|||||
| CVE-2025-3246 | 1 Github | 1 Enterprise Server | 2025-09-05 | N/A | 7.6 HIGH |
|
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program.
|
|||||
| CVE-2024-56112 | 1 Cyberpanel | 1 Cyberpanel | 2025-09-05 | N/A | 6.1 MEDIUM |
|
CyberPanel (aka Cyber Panel) before f0cf648 allows XSS via token or username to plogical/phpmyadminsignin.php.
|
|||||
| CVE-2024-51112 | 1 Pnetlab | 1 Pnetlab | 2025-09-05 | N/A | 6.1 MEDIUM |
|
Open Redirect vulnerability in Pnetlab 5.3.11 allows an attacker to manipulate URLs to redirect users to arbitrary external websites via a crafted script
|
|||||
| CVE-2024-51111 | 1 Pnetlab | 1 Pnetlab | 2025-09-05 | N/A | 4.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability in Pnetlab 5.3.11 allows an attacker to inject malicious scripts into a web page, which are executed in the context of the victim's browser.
|
|||||
| CVE-2024-55074 | 1 Grocy Project | 1 Grocy | 2025-09-05 | N/A | 8.8 HIGH |
|
The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370.
|
|||||
| CVE-2024-52520 | 1 Nextcloud | 1 Nextcloud Server | 2025-09-05 | N/A | 5.7 MEDIUM |
|
Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.
|
|||||
| CVE-2024-37161 | 1 Metersphere | 1 Metersphere | 2025-09-04 | N/A | 4.0 MEDIUM |
|
MeterSphere is an open source continuous testing platform. Prior to version 1.10.1-lts, the system's step editor stores cross-site scripting vulnerabilities. Version 1.10.1-lts fixes this issue.
|
|||||
| CVE-2024-37304 | 1 Microsoft | 1 Nugetgallery | 2025-09-04 | N/A | 6.1 MEDIUM |
|
NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. When a user inputs a Markdown autolink such as `<javascript:alert(1)>`, the link is rendered without proper sanitiz ...
Show More |
|||||
| CVE-2025-9754 | 1 Campcodes | 1 Online Hospital Management System | 2025-09-04 | 4.0 MEDIUM | 3.5 LOW |
|
A flaw has been found in Campcodes Online Hospital Management System 1.0. The impacted element is an unknown function of the file /edit-profile.php of the component Edit Profile Page. Executing manipulation of the argument Username can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
|
|||||
| CVE-2025-9753 | 1 Campcodes | 1 Online Hospital Management System | 2025-09-04 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was detected in Campcodes Online Hospital Management System 1.0. The affected element is an unknown function of the file /admin/patient-search.php of the component Patient Search Module. Performing manipulation of the argument Search by Name Mobile No results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-9746 | 1 Campcodes | 1 Hospital Management System | 2025-09-04 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was detected in Campcodes Hospital Management System 1.0. This affects an unknown function of the file /admin/edit-doctor-specialization.php of the component Edit Doctor Specialization Page. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-41036 | 1 Apprain | 1 Apprain | 2025-09-04 | N/A | 5.4 MEDIUM |
|
A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[Admin][description]', 'data[Admin][f_name]' and 'data[Admin][l_name]' parameters in /apprain/admin/account/edit.
|
|||||
| CVE-2025-41037 | 1 Apprain | 1 Apprain | 2025-09-04 | N/A | 5.4 MEDIUM |
|
A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[FileManager][search]' parameter in /apprain/admin/filemanager.
|
|||||
| CVE-2025-41038 | 1 Apprain | 1 Apprain | 2025-09-04 | N/A | 5.4 MEDIUM |
|
A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[Group][name]' parameter in /apprain/admin/managegroup/add/.
|
|||||
| CVE-2025-41039 | 1 Apprain | 1 Apprain | 2025-09-04 | N/A | 5.4 MEDIUM |
|
A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[sconfig][admin_landing_page]', 'data[sconfig][currency]', 'data[sconfig][db_version]', 'data[sconfig][default_pagination]', 'data[sconfig][emailsetup_from_email]', 'data[sconfig][emailsetup_host]', 'data[sconfig][emailsetup_password]', 'data[sconfig][emailsetup_port]', 'data[sconfig][emailsetup_username]', 'data[sconfig][fi ...
Show More |
|||||
| CVE-2025-41040 | 1 Apprain | 1 Apprain | 2025-09-04 | N/A | 5.4 MEDIUM |
|
A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[code]', 'data[lang][0][key]', 'data[lang][0][value]', 'data[lang][1][key]' and 'data[title]' parameters in /apprain/developer/language/lipsum.xml.
|
|||||