Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-26529 | 1 Moodle | 1 Moodle | 2025-08-08 | N/A | 8.3 HIGH |
|
Description information displayed in the site administration live log
required additional sanitizing to prevent a stored XSS risk.
|
|||||
| CVE-2025-0719 | 1 Ibm | 1 Cloud Pak For Data | 2025-08-08 | N/A | 6.1 MEDIUM |
|
IBM Cloud Pak for Data 4.0.0 through 4.8.5 and 5.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2025-2685 | 1 Tablepress | 1 Tablepress | 2025-08-08 | N/A | 6.4 MEDIUM |
|
The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-42034 | 1 Visualware | 1 Myconnection Server | 2025-08-08 | N/A | 8.8 HIGH |
|
Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Visualware MyConnection Server. Minimal user interaction is required to exploit this vulnerability.
The specific flaw exists within the doRTAAccessCTConfig method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary scrip ...
Show More |
|||||
| CVE-2025-2254 | 1 Gitlab | 1 Gitlab | 2025-08-08 | N/A | 8.7 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper output encoding in the snipper viewer functionality lead to Cross-Site scripting attacks.
|
|||||
| CVE-2025-1763 | 1 Gitlab | 1 Gitlab | 2025-08-08 | N/A | 8.7 HIGH |
|
An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
|
|||||
| CVE-2025-4439 | 1 Gitlab | 1 Gitlab | 2025-08-08 | N/A | 7.7 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks.
|
|||||
| CVE-2025-4700 | 1 Gitlab | 1 Gitlab | 2025-08-08 | N/A | 8.7 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS.
|
|||||
| CVE-2025-8577 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-08-08 | N/A | 4.3 MEDIUM |
|
Inappropriate implementation in Picture In Picture in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
|
|||||
| CVE-2025-8579 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-08-08 | N/A | 4.3 MEDIUM |
|
Inappropriate implementation in Picture In Picture in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
|
|||||
| CVE-2025-8580 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-08-08 | N/A | 4.3 MEDIUM |
|
Inappropriate implementation in Filesystems in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
|
|||||
| CVE-2025-8581 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-08-08 | N/A | 4.3 MEDIUM |
|
Inappropriate implementation in Extensions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
|
|||||
| CVE-2025-7902 | 1 Ruoyi | 1 Ruoyi | 2025-08-08 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in yangzongzhuan RuoYi up to 4.8.1. Affected is the function addSave of the file com/ruoyi/web/controller/system/SysNoticeController.java. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-55134 | 2025-08-08 | N/A | 6.4 MEDIUM | ||
|
In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via tag in client/agora/public/js/editorManager.js.
|
|||||
| CVE-2025-55133 | 2025-08-08 | N/A | 6.4 MEDIUM | ||
|
In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via topicName in client/agora/public/js/editorManager.js.
|
|||||
| CVE-2024-20383 | 1 Cisco | 15 Asyncos, Secure Email And Web Manager M170, Secure Email And Web Manager M190 and 12 more | 2025-08-08 | N/A | 4.8 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface.
This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the cont ...
Show More |
|||||
| CVE-2025-22763 | 1 Brizy | 1 Brizy | 2025-08-08 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Brizy Pro allows Reflected XSS. This issue affects Brizy Pro: from n/a through 2.6.1.
|
|||||
| CVE-2025-50740 | 2025-08-07 | N/A | 6.1 MEDIUM | ||
|
AutoConnect 1.4.2, an Arduino library, is vulnerable to a cross site scripting (xss) vulnerability. The AutoConnect web interface /_ac/config allows HTML/JS code to be executed via a crafted network SSID.
|
|||||
| CVE-2025-51629 | 2025-08-07 | N/A | 8.8 HIGH | ||
|
A cross-site scripting (XSS) vulnerability in the PdfViewer component of Agenzia Impresa Eccobook 2.81.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Temp parameter.
|
|||||
| CVE-2024-20511 | 1 Cisco | 1 Unified Communications Manager | 2025-08-07 | N/A | 6.1 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a ...
Show More |
|||||
| CVE-2024-20540 | 1 Cisco | 1 Unified Contact Center Management Portal | 2025-08-07 | N/A | 5.4 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) could allow an authenticated, remote attacker with low privileges to conduct a stored cross-site scripting (XSS) attack against a user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into a specific page of the interfa ...
Show More |
|||||
| CVE-2025-32198 | 1 Brizy | 1 Brizy | 2025-08-07 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themefusecom Brizy. This issue affects Brizy: from n/a through 2.6.14.
|
|||||
| CVE-2025-2839 | 1 Vjinfotech | 1 Wp Import Export Lite | 2025-08-07 | N/A | 6.4 MEDIUM |
|
The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-45515 | 1 Zimbra | 1 Collaboration | 2025-08-07 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type checks and execute arbitrary JavaScript within the victim's session.
|
|||||
| CVE-2024-55040 | 1 Sensaphone | 2 Web600, Web600 Firmware | 2025-08-07 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Sensaphone WEB600 Monitoring System v.1.6.5.H and before allows a remote attacker to execute arbitrary code via a crafted GET requests to /@.xml, placing payloads in the g7200, g7300, g4601, and g1F02 parameters.
|
|||||
| CVE-2024-38274 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2025-08-07 | N/A | 6.1 MEDIUM |
|
Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.
|
|||||
| CVE-2024-20256 | 1 Cisco | 22 Asyncos, Secure Email And Web Manager M170, Secure Email And Web Manager M190 and 19 more | 2025-08-07 | N/A | 4.8 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Web Appliance could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface.
This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary ...
Show More |
|||||
| CVE-2025-40598 | 1 Sonicwall | 6 Sma 210, Sma 210 Firmware, Sma 410 and 3 more | 2025-08-07 | N/A | 6.1 MEDIUM |
|
A Reflected cross-site scripting (XSS) vulnerability exists in the SMA100 series web interface, allowing a remote unauthenticated attacker to potentially execute arbitrary JavaScript code.
|
|||||
| CVE-2025-45892 | 1 Opencart | 1 Opencart | 2025-08-07 | N/A | 6.1 MEDIUM |
|
OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or escaped before being rendered. This allows attackers to inject malicious JavaScript code
|
|||||
| CVE-2012-10032 | 2025-08-07 | N/A | N/A | ||
|
Maxthon3 versions prior to 3.3 are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon’s exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typicall ...
Show More |
|||||
| CVE-2025-45893 | 1 Opencart | 1 Opencart | 2025-08-07 | N/A | 6.1 MEDIUM |
|
OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded JavaScript
|
|||||
| CVE-2025-51398 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Facebook registration page of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
|
|||||
| CVE-2025-51403 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 6.5 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the department assignment editing module of of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Alias Nick parameter.
|
|||||
| CVE-2025-51401 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the chat transfer function of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the operator name parameter.
|
|||||
| CVE-2025-51400 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Personal Canned Messages of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
|
|||||
| CVE-2025-51396 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Telegram Bot Username parameter.
|
|||||
| CVE-2025-54597 | 1 Linuxserver | 1 Heimdall Application Dashboard | 2025-08-07 | N/A | 7.2 HIGH |
|
LinuxServer.io Heimdall before 2.7.3 allows XSS via the q parameter.
|
|||||
| CVE-2025-33097 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2025-08-07 | N/A | 6.4 MEDIUM |
|
IBM QRadar SIEM 7.5 - 7.5.0 UP12 IF02 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2022-20626 | 1 Cisco | 1 Prime Access Registrar | 2025-08-07 | N/A | 5.5 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Prime Access Registrar Appliance could allow an authenticated, remote attacker to conduct a cross-site scripting attack against a user of the interface. The attacker would require valid credentials for the device.
This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted ...
Show More |
|||||
| CVE-2025-52358 | 1 Vivaldigroup | 3 Icontrol\+ Server, Vivaldi Domotica Icontrol, Vivaldi Domotica Icontrol Firmware | 2025-08-06 | N/A | 6.3 MEDIUM |
|
A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's browser session.
|
|||||