Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11623 | 1 Goauthentik | 1 Authentik | 2025-08-21 | N/A | 4.8 MEDIUM |
|
Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons.
This action could only be performed by an authenticated admin user.
The issue was fixed in 2024.10.4 release.
|
|||||
| CVE-2025-55033 | 1 Mozilla | 1 Firefox Focus | 2025-08-21 | N/A | 6.1 MEDIUM |
|
Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks This vulnerability affects Focus for iOS < 142.
|
|||||
| CVE-2025-9167 | 1 Solidinvoice | 1 Solidinvoice | 2025-08-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in SolidInvoice up to 2.4.0. This vulnerability affects unknown code of the file /invoice/recurring of the component Recurring Invoice Module. The manipulation of the argument client name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-9168 | 1 Solidinvoice | 1 Solidinvoice | 2025-08-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SolidInvoice up to 2.4.0. This issue affects some unknown processing of the file /invoice of the component Invoice Creation Module. The manipulation of the argument Client Name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-9169 | 1 Solidinvoice | 1 Solidinvoice | 2025-08-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was determined in SolidInvoice up to 2.4.0. Impacted is an unknown function of the file /quotes of the component Quote Module. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-9170 | 1 Solidinvoice | 1 Solidinvoice | 2025-08-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was identified in SolidInvoice up to 2.4.0. The affected element is an unknown function of the file /tax/rates of the component Tax Rates Module. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-9171 | 1 Solidinvoice | 1 Solidinvoice | 2025-08-21 | 4.0 MEDIUM | 3.5 LOW |
|
A security flaw has been discovered in SolidInvoice up to 2.4.0. The impacted element is an unknown function of the file /clients of the component Clients Module. Performing manipulation of the argument Name results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-8362 | 1 Googletag Manager Project | 1 Googletag Manager | 2025-08-21 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0.
|
|||||
| CVE-2024-5383 | 1 Lakernote | 1 Easyadmin | 2025-08-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in lakernote EasyAdmin up to 20240324. This affects an unknown part of the file /sys/file/upload. The manipulation of the argument file leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. Th ...
Show More |
|||||
| CVE-2025-57731 | 1 Jetbrains | 1 Youtrack | 2025-08-21 | N/A | 8.7 HIGH |
|
In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content
|
|||||
| CVE-2025-57703 | 1 Deltaww | 1 Diaenergie | 2025-08-21 | N/A | 6.1 MEDIUM |
|
DIAEnergie - Reflected Cross-site Scripting
|
|||||
| CVE-2025-57702 | 1 Deltaww | 1 Diaenergie | 2025-08-21 | N/A | 6.1 MEDIUM |
|
DIAEnergie - Reflected Cross-site Scripting
|
|||||
| CVE-2025-57701 | 1 Deltaww | 1 Diaenergie | 2025-08-21 | N/A | 6.1 MEDIUM |
|
DIAEnergie - Reflected Cross-site Scripting
|
|||||
| CVE-2025-57700 | 1 Deltaww | 1 Diaenergie | 2025-08-21 | N/A | 6.1 MEDIUM |
|
DIAEnergie - Stored Cross-site Scripting
|
|||||
| CVE-2025-51488 | 1 Moonshine | 1 Moonshine | 2025-08-21 | N/A | 4.9 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.4, allowing remote attackers to store and execute arbitrary JavaScript by including a malicious HTML payload in the Name parameter when creating a new Admin.
|
|||||
| CVE-2025-51487 | 1 Moonshine | 1 Moonshine | 2025-08-21 | N/A | 4.5 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article.
|
|||||
| CVE-2025-51489 | 1 Moonshine | 1 Moonshine | 2025-08-21 | N/A | 5.4 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened.
|
|||||
| CVE-2024-26484 | 1 Getkirby | 1 Kirby | 2025-08-21 | N/A | 6.1 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link field. NOTE: the vendor's position is that this issue did not affect any version of Kirby CMS. The only effect was on the trykirby.com demo site, which is not customer-controlled.
|
|||||
| CVE-2024-34449 | 1 B3log | 1 Vditor | 2025-08-21 | N/A | 6.1 MEDIUM |
|
Vditor 3.10.3 allows XSS via an attribute of an A element. NOTE: the vendor indicates that a user is supposed to mitigate this via sanitize=true.
|
|||||
| CVE-2024-30953 | 1 Htmly | 1 Htmly | 2025-08-21 | N/A | 6.1 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in Htmly v2.9.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link Name parameter of Menu Editor module.
|
|||||
| CVE-2025-8910 | 1 Wellchoose | 1 Organization Portal System | 2025-08-21 | N/A | 6.1 MEDIUM |
|
Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
|
|||||
| CVE-2025-8911 | 1 Wellchoose | 1 Organization Portal System | 2025-08-21 | N/A | 6.1 MEDIUM |
|
Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
|
|||||
| CVE-2025-54117 | 1 Namelessmc | 1 Nameless | 2025-08-20 | N/A | 9.0 CRITICAL |
|
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via the dashboard text editor component. This vulnerability is fixed in 2.2.4.
|
|||||
| CVE-2025-54421 | 1 Namelessmc | 1 Nameless | 2025-08-20 | N/A | 7.2 HIGH |
|
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.4 allows remote authenticated attackers to inject arbitrary web script or HTML via the default_keywords crafted parameter. This vulnerability is fixed in 2.2.4.
|
|||||
| CVE-2025-46824 | 2025-08-20 | N/A | 3.1 LOW | ||
|
The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin. As a workaround, one may disable the plugin.
|
|||||
| CVE-2025-46198 | 1 Getgrav | 1 Grav | 2025-08-20 | N/A | 8.8 HIGH |
|
Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element
|
|||||
| CVE-2025-54881 | 2025-08-20 | N/A | N/A | ||
|
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.
|
|||||
| CVE-2025-49434 | 2025-08-20 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stijnvanderree Laposta WooCommerce allows Stored XSS. This issue affects Laposta WooCommerce: from n/a through 1.9.1.
|
|||||
| CVE-2025-8618 | 2025-08-20 | N/A | 6.4 MEDIUM | ||
|
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's woosq_btn shortcode in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-49891 | 2025-08-20 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in riotweb Contact Info Widget allows Stored XSS. This issue affects Contact Info Widget: from n/a through 2.6.2.
|
|||||
| CVE-2025-54044 | 2025-08-20 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in _CreativeMedia_ Elite Video Player allows Reflected XSS. This issue affects Elite Video Player: from n/a through 10.0.5.
|
|||||
| CVE-2025-53563 | 2025-08-20 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Youtube Vimeo Video Player and Slider allows Reflected XSS. This issue affects Youtube Vimeo Video Player and Slider: from n/a through 3.8.
|
|||||
| CVE-2025-49395 | 2025-08-20 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Icons allows Stored XSS. This issue affects Themify Icons: from n/a through 2.0.3.
|
|||||
| CVE-2025-49413 | 2025-08-20 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wishloop Terms of Service & Privacy Policy Generator allows Stored XSS. This issue affects Terms of Service & Privacy Policy Generator: from n/a through 1.0.
|
|||||
| CVE-2025-48168 | 2025-08-20 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Apollo - Sticky Full Width HTML5 Audio Player allows Reflected XSS. This issue affects Apollo - Sticky Full Width HTML5 Audio Player: from n/a through 3.4.
|
|||||
| CVE-2025-53319 | 2025-08-20 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raptive Raptive Ads allows Reflected XSS. This issue affects Raptive Ads: from n/a through 3.8.0.
|
|||||
| CVE-2024-12223 | 2025-08-20 | N/A | N/A | ||
|
Prism Central versions prior to 2024.3.1 are vulnerable to a stored cross-site scripting attack via the Events component, allowing an attacker to hijack a victim user’s session and perform actions in their security context.
|
|||||
| CVE-2025-49409 | 2025-08-20 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS. This issue affects SensorPress: from n/a through 1.0.
|
|||||
| CVE-2025-49894 | 2025-08-20 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rewish WP Emmet allows Stored XSS. This issue affects WP Emmet: from n/a through 0.3.4.
|
|||||
| CVE-2025-49892 | 2025-08-20 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in badasswp Pending Order Bot allows Stored XSS. This issue affects Pending Order Bot: from n/a through 1.0.2.
|
|||||