Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-44136 | 1 Maptiler | 1 Tileserver Php | 2025-08-06 | N/A | 9.8 CRITICAL |
|
MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.
|
|||||
| CVE-2025-7399 | 2025-08-06 | N/A | 6.4 MEDIUM | ||
|
The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via an Elementor display setting in all versions up to, and including, 28.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6690 | 2025-08-06 | N/A | 6.4 MEDIUM | ||
|
The WP Tournament Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘field’ parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-7727 | 2025-08-06 | N/A | 6.4 MEDIUM | ||
|
The Gutenverse plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text and Fun Fact blocks in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-51624 | 2025-08-06 | N/A | 7.6 HIGH | ||
|
Cross-site scripting (XSS) vulnerability in Zone Bitaqati thru 3.4.0.
|
|||||
| CVE-2025-6256 | 2025-08-06 | N/A | 6.4 MEDIUM | ||
|
The Flex Guten plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘thumbnailHoverEffect’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6259 | 2025-08-06 | N/A | 6.4 MEDIUM | ||
|
The esri-map-view plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's esri-map-view shortcode in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-0376 | 1 Gitlab | 1 Gitlab | 2025-08-06 | N/A | 8.7 HIGH |
|
An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
|
|||||
| CVE-2024-20257 | 1 Cisco | 7 Asyncos, Secure Email Gateway C195, Secure Email Gateway C395 and 4 more | 2025-08-06 | N/A | 4.8 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface.r
This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of t ...
Show More |
|||||
| CVE-2025-36563 | 1 Alfasado | 1 Powercms | 2025-08-06 | N/A | 6.1 MEDIUM |
|
Reflected cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product administrator accesses a crafted URL, an arbitrary script may be executed on the browser.
|
|||||
| CVE-2025-41391 | 1 Alfasado | 1 Powercms | 2025-08-06 | N/A | 5.4 MEDIUM |
|
Stored cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product user accesses a malicious page, an arbitrary script may be executed on the browser.
|
|||||
| CVE-2025-50866 | 1 Vishalmathur | 1 Cloudclassroom | 2025-08-06 | N/A | 6.1 MEDIUM |
|
CloudClassroom-PHP-Project 1.0 contains a reflected Cross-site Scripting (XSS) vulnerability in the email parameter of the postquerypublic endpoint. Improper sanitization allows an attacker to inject arbitrary JavaScript code that executes in the context of the user s browser, potentially leading to session hijacking or phishing attacks.
|
|||||
| CVE-2025-5921 | 1 Brainstormforce | 1 Sureforms | 2025-08-06 | N/A | 5.8 MEDIUM |
|
The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users.
|
|||||
| CVE-2025-8380 | 1 Campcodes | 1 Online Hotel Reservation System | 2025-08-06 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in Campcodes Online Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /admin/add_query_account.php. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-50848 | 1 Cs-cart | 1 Cs-cart | 2025-08-06 | N/A | 6.1 MEDIUM |
|
A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood ...
Show More |
|||||
| CVE-2025-51951 | 1 Andisearch | 1 Andisearch | 2025-08-06 | N/A | 6.1 MEDIUM |
|
andisearch v0.5.249 was discovered to contain a cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2025-51503 | 1 Microweber | 1 Microweber | 2025-08-06 | N/A | 7.6 HIGH |
|
A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, leading to arbitrary JavaScript execution in admin browsers.
|
|||||
| CVE-2025-52203 | 1 Devaslanphp | 1 Project Management | 2025-08-06 | N/A | 7.6 HIGH |
|
A stored cross-site scripting (XSS) vulnerability exists in DevaslanPHP project-management v1.2.4. The vulnerability resides in the Ticket Name field, which fails to properly sanitize user-supplied input. An authenticated attacker can inject malicious JavaScript payloads into this field, which are subsequently stored in the database. When a legitimate user logs in and is redirected to the Dashboard panel "automatically upon authentication the malicious script executes in the user's browser conte ...
Show More |
|||||
| CVE-2025-51954 | 1 Electronhub | 1 Ai Playground | 2025-08-06 | N/A | 6.1 MEDIUM |
|
playground.electronhub.ai v1.1.9 was discovered to contain a cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2025-20120 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2025-08-06 | N/A | 6.1 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device.
This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicio ...
Show More |
|||||
| CVE-2025-8319 | 1 Barracuda | 1 Message Archiver Firmware | 2025-08-06 | N/A | 6.1 MEDIUM |
|
the BMA login interface allows arbitrary JavaScript or HTML to be written straight into the page’s Document Object Model via the error= URL parameter
|
|||||
| CVE-2020-3420 | 1 Cisco | 1 Unified Communications Manager | 2025-08-06 | N/A | 5.4 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerabili ...
Show More |
|||||
| CVE-2025-46958 | 1 Adobe | 1 Experience Manager | 2025-08-06 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
|
|||||
| CVE-2023-43091 | 1 Gnome | 1 Gnome-maps | 2025-08-06 | N/A | 9.8 CRITICAL |
|
A flaw was found in GNOME Maps, which is vulnerable to a code injection attack via its service.json configuration file. If the configuration file is malicious, it may execute arbitrary code.
|
|||||
| CVE-2025-51857 | 2025-08-05 | N/A | 6.1 MEDIUM | ||
|
The reconcile method in the AttachmentReconciler class of the Halo system v.2.20.18LTS and before is vulnerable to XSS attacks.
|
|||||
| CVE-2025-8167 | 1 Carmelo | 1 Church Donation System | 2025-08-05 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in code-projects Church Donation System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/edit_members.php. The manipulation of the argument fname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
|
|||||
| CVE-2025-0314 | 1 Gitlab | 1 Gitlab | 2025-08-05 | N/A | 8.7 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.
|
|||||
| CVE-2025-8340 | 1 Carmelo | 1 Intern Membership Management System | 2025-08-05 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in code-projects Intern Membership Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file fill_details.php of the component Error Message Handler. The manipulation of the argument email leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-8337 | 1 Code-projects | 1 Simple Car Rental System | 2025-08-05 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, has been found in code-projects Simple Car Rental System 1.0. This issue affects some unknown processing of the file /admin/add_vehicles.php. The manipulation of the argument car_name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-12326 | 1 Jirafeau | 1 Jirafeau | 2025-08-05 | N/A | 6.1 MEDIUM |
|
Jirafeau normally prevents browser preview for SVG files due to the possibility that manipulated SVG files could be exploited for cross site scripting. This was done by storing the MIME type of a file and preventing the browser preview for MIME type image/svg+xml. This issue was first reported in CVE-2022-30110. However, it was still possible to do a browser preview of a SVG file by sending a manipulated MIME type during the upload, where the case of any letter in image/svg+xml had been changed ...
Show More |
|||||
| CVE-2025-54141 | 1 Viewvc | 1 Viewvc | 2025-08-05 | N/A | 7.5 HIGH |
|
ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.
|
|||||
| CVE-2025-8370 | 1 Portabilis | 1 I-educar | 2025-08-05 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in Portabilis i-Educar 2.9. Affected is an unknown function of the file /intranet/educar_escolaridade_lst.php. The manipulation of the argument descricao leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-8365 | 1 Portabilis | 1 I-educar | 2025-08-05 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Portabilis i-Educar 2.10. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file atendidos_cad.php. The manipulation of the argument nome/nome_social/email leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-8366 | 1 Portabilis | 1 I-educar | 2025-08-05 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in Portabilis i-Educar 2.9. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /intranet/educar_servidor_lst.php. The manipulation of the argument nome/matricula_servidor leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-8367 | 1 Portabilis | 1 I-educar | 2025-08-05 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in Portabilis i-Educar 2.9. This affects an unknown part of the file /intranet/funcionario_vinculo_lst.php. The manipulation of the argument nome leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-8368 | 1 Portabilis | 1 I-educar | 2025-08-05 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic was found in Portabilis i-Educar 2.9. This vulnerability affects unknown code of the file /intranet/pesquisa_pessoa_lst.php. The manipulation of the argument campo_busca/cpf leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-8369 | 1 Portabilis | 1 I-educar | 2025-08-05 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.9. This issue affects some unknown processing of the file /intranet/educar_avaliacao_desempenho_lst.php. The manipulation of the argument titulo_avaliacao leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-27205 | 1 Adobe | 1 Experience Manager Screens | 2025-08-05 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager Screens versions FP11.3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link.
|
|||||
| CVE-2024-31401 | 1 Cybozu | 1 Garoon | 2025-08-05 | N/A | 9.0 CRITICAL |
|
Cross-site scripting vulnerability in Cybozu Garoon 5.0.0 to 5.15.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script on the web browser of the user who is logging in to the product.
|
|||||
| CVE-2025-50754 | 2025-08-05 | N/A | 9.6 CRITICAL | ||
|
Unisite CMS version 5.0 contains a stored Cross-Site Scripting (XSS) vulnerability in the "Report" functionality. A malicious script submitted by an attacker is rendered in the admin panel when viewed by an administrator. This allows attackers to hijack the admin session and, by leveraging the template editor, upload and execute a PHP web shell on the server, leading to full remote code execution.
|
|||||