Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7748 | 2025-07-17 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability classified as problematic was found in ZCMS 3.6.0. This vulnerability affects unknown code of the component Create Article Page. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-53941 | 2025-07-17 | N/A | 6.1 MEDIUM | ||
|
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.
|
|||||
| CVE-2024-42912 | 2025-07-17 | N/A | 5.4 MEDIUM | ||
|
A cross-site scripting (XSS) vulnerability in META-INF Kft. Email This Issue (Data Center) before 9.13.0-GA allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the recipient field of an e-mail message.
|
|||||
| CVE-2025-6248 | 2025-07-17 | N/A | 7.4 HIGH | ||
|
A cross-site scripting (XSS) vulnerability was reported in the Lenovo Browser that could allow an attacker to obtain sensitive information if a user visits a web page with specially crafted content.
|
|||||
| CVE-2025-53904 | 2025-07-17 | N/A | N/A | ||
|
The Scratch Channel is a news website that is under development as of time of this writing. The file `/api/admin.js` contains code that could make the website vulnerable to cross-site scripting. No known patches exist as of time of publication.
|
|||||
| CVE-2024-34831 | 1 Gibbonedu | 1 Gibbon | 2025-07-17 | N/A | 6.1 MEDIUM |
|
cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.
|
|||||
| CVE-2024-12504 | 1 Videowhisper | 1 Videowhisper Live Streaming Integration | 2025-07-17 | N/A | 6.4 MEDIUM |
|
The Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_hls' shortcode in all versions up to, and including, 6.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an i ...
Show More |
|||||
| CVE-2025-48253 | 1 Wpfactory | 1 Free Shipping Bar | 2025-07-17 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce allows Stored XSS. This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through 2.4.6.
|
|||||
| CVE-2022-43850 | 3 Ibm, Linux, Microsoft | 3 Aspera Console, Linux Kernel, Windows | 2025-07-17 | N/A | 5.4 MEDIUM |
|
IBM Aspera Console 3.4.0 through 3.4.4
is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2025-30844 | 1 Kibokolabs | 1 Watu Quiz | 2025-07-17 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Watu Quiz allows Reflected XSS. This issue affects Watu Quiz: from n/a through 3.4.2.
|
|||||
| CVE-2024-51337 | 1 Gibbonedu | 1 Gibbon | 2025-07-17 | N/A | 3.5 LOW |
|
Cross Site Scripting vulnerability in Gibbon before v.27.0.01 and fixed in v.28.0.00 allows a remote attacker to obtain sensitive information via the email parameter found in /Gibbon/modules/User Admin/user_manage_editProcess.php.
|
|||||
| CVE-2024-55492 | 1 Magicwinmail | 1 Winmail Server | 2025-07-17 | N/A | 6.1 MEDIUM |
|
Winmail Server 4.4 is vulnerable to f_user=%22%3E%3Csvg%20onload Cross Site Scripting (XSS).
|
|||||
| CVE-2024-0873 | 1 Kibokolabs | 1 Watu Quiz | 2025-07-17 | N/A | 6.4 MEDIUM |
|
The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'watu-basic-chart' shortcode in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4405 | 1 Hot-themes | 1 Hot Random Image | 2025-07-17 | N/A | 4.9 MEDIUM |
|
The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-48918 | 1 1xinternet | 1 Simple Klaro | 2025-07-17 | N/A | 8.8 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0.
|
|||||
| CVE-2025-48919 | 1 1xinternet | 1 Simple Klaro | 2025-07-17 | N/A | 5.0 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0.
|
|||||
| CVE-2024-8029 | 1 Pribai | 1 Privategpt | 2025-07-17 | N/A | 6.1 MEDIUM |
|
An XSS vulnerability was discovered in the upload file(s) process of imartinez/privategpt v0.5.0. Attackers can upload malicious SVG files, which execute JavaScript when victims click on the file link. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
|
|||||
| CVE-2025-5678 | 1 Kadencewp | 1 Gutenberg Blocks With Ai | 2025-07-17 | N/A | 6.4 MEDIUM |
|
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘redirectURL’ parameter in all versions up to, and including, 3.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-28243 | 1 Alteryx | 1 Alteryx Server | 2025-07-17 | N/A | 8.0 HIGH |
|
An issue in Alteryx Server v.2023.1.1.460 allows HTML injection via a crafted script to the pages component.
|
|||||
| CVE-2025-5530 | 1 Wpclever | 1 Wpc Smart Compare For Woocommerce | 2025-07-17 | N/A | 6.4 MEDIUM |
|
The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6068 | 1 Fooplugins | 1 Foogallery | 2025-07-17 | N/A | 6.4 MEDIUM |
|
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user ...
Show More |
|||||
| CVE-2024-6006 | 1 Zkteco | 1 Zkbiosecurity V5000 | 2025-07-17 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The manipulation of the argument Schedule Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to the ZKB ...
Show More |
|||||
| CVE-2024-6005 | 1 Zkteco | 1 Zkbiosecurity V5000 | 2025-07-17 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. The manipulation of the argument Department Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to t ...
Show More |
|||||
| CVE-2025-28245 | 1 Alteryx | 1 Alteryx Server | 2025-07-17 | N/A | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in Alteryx Server 2023.1.1.460 allows remote attackers to inject arbitrary web script or HTML via the notification body.
|
|||||
| CVE-2025-6977 | 1 Metagauss | 1 Profilegrid | 2025-07-16 | N/A | 6.1 MEDIUM |
|
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘pm_get_messenger_notification’ function in all versions up to, and including, 5.9.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a logged-in user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-2799 | 1 Wp-eventmanager | 1 Wp Event Manager | 2025-07-16 | N/A | 4.4 MEDIUM |
|
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag-name’ parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site ...
Show More |
|||||
| CVE-2025-2800 | 1 Wp-eventmanager | 1 Wp Event Manager | 2025-07-16 | N/A | 7.2 HIGH |
|
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘organizer_name' parameter in all versions up to, and including, 3.1.50 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-10029 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 6.1 MEDIUM |
|
In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting
attacks in the Administration Console.
|
|||||
| CVE-2024-10031 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 5.4 MEDIUM |
|
In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting
attacks by modifying the configuration file in the underlying operating system.
|
|||||
| CVE-2024-10032 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 5.4 MEDIUM |
|
In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting
attacks in the Administration Console.
|
|||||
| CVE-2024-9343 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 6.1 MEDIUM |
|
In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting
attacks in the Administration Console.
|
|||||
| CVE-2025-27867 | 1 Apache | 1 Felix Http Webconsole Plugin | 2025-07-16 | N/A | 5.6 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin.
This issue affects Apache Felix HTTP Webconsole Plugin: from Version 1.X through 1.2.0.
Users are recommended to upgrade to version 1.2.2, which fixes the issue.
|
|||||
| CVE-2025-7408 | 1 Pushpam02 | 1 Zoo Management System | 2025-07-16 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in SourceCodester Zoo Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/templates/animal_form_template.php. The manipulation of the argument msg leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6674 | 1 Gabderrahim | 1 Ckeditor5 Youtube | 2025-07-16 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CKEditor5 Youtube allows Cross-Site Scripting (XSS).This issue affects CKEditor5 Youtube: from 0.0.0 before 1.0.3.
|
|||||
| CVE-2025-5234 | 1 Jegstudio | 1 Gutenverse News | 2025-07-16 | N/A | 6.4 MEDIUM |
|
The Gutenverse News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘elementId’ parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5490 | 1 Antoineh | 1 Football Pool | 2025-07-16 | N/A | 5.5 MEDIUM |
|
The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has bee ...
Show More |
|||||
| CVE-2025-4774 | 1 Leap13 | 1 Premium Addons For Elementor | 2025-07-16 | N/A | 6.4 MEDIUM |
|
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3648 | 1 Sharethis | 1 Sharethis Share Buttons | 2025-07-16 | N/A | 6.4 MEDIUM |
|
The ShareThis Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sharethis-inline-button' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4577 | 1 Wpbeginner | 1 Smash Balloon Social Post Feed | 2025-07-16 | N/A | 6.4 MEDIUM |
|
The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-4045 | 1 Optinmonster | 1 Optinmonster | 2025-07-16 | N/A | 6.4 MEDIUM |
|
The Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘campaign_id’ parameter in versions up to, and including, 2.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page ...
Show More |
|||||