Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-27780 | 1 Fortinet | 1 Fortisiem | 2025-07-16 | N/A | 2.2 LOW |
|
Multiple Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerabilities [CWE-79] in FortiSIEM 7.1 all versions, 7.0 all versions, 6.7 all versions incident page may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.
|
|||||
| CVE-2025-7601 | 1 Phpgurukul | 1 Online Library Management System | 2025-07-16 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in PHPGurukul Online Library Management System 3.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/student-history.php. The manipulation of the argument stdid leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-1392 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-07-16 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in D-Link DIR-816 1.01TO and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/webproc?getpage=html/index.html&var:menu=24gwlan&var:page=24G_basic. The manipulation of the argument SSID leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2017-18524 | 1 Antoineh | 1 Football Pool | 2025-07-16 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The football-pool plugin before 2.6.5 for WordPress has multiple XSS issues.
|
|||||
| CVE-2024-11685 | 1 Iseard | 1 Kudos Donations | 2025-07-16 | N/A | 6.1 MEDIUM |
|
The `Kudos Donations – Easy donations and payments with Mollie` plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of `add_query_arg` without appropriate escaping on the URL in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute if they can successfully trick a user into performing an action, such as clicking on a specially crafted link.
|
|||||
| CVE-2025-53824 | 1 Wegia | 1 Wegia | 2025-07-15 | N/A | 5.4 MEDIUM |
|
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the editar_permissoes.php endpoint of the WeGIA application prior to version 3.4.4. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. Version 3.4.4 fixes the issue.
|
|||||
| CVE-2025-53822 | 1 Wegia | 1 Wegia | 2025-07-15 | N/A | 6.5 MEDIUM |
|
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `relatorio_geracao.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `tipo_relatorio` parameter. Version 3.4.5 has a patch for the issue.
|
|||||
| CVE-2025-53820 | 1 Wegia | 1 Wegia | 2025-07-15 | N/A | 6.5 MEDIUM |
|
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `index.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `erro` parameter. Version 3.4.5 contains a patch for the issue.
|
|||||
| CVE-2025-53903 | 2025-07-15 | N/A | N/A | ||
|
The Scratch Channel is a news website that is under development as of time of this writing. The file `/api/users.js` doesn't properly sanitize text box inputs, leading to a potential vulnerability to cross-site scripting attacks. Commit 90b39eb56b27b2bac29001abb1a3cac0964b8ddb addresses this issue.
|
|||||
| CVE-2025-52378 | 2025-07-15 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Scripting (XSS) vulnerability in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below allowing attackers to inject JavaScript code that is executed in the context of administrator sessions when viewing the device management page via the DEVICE_ALIAS parameter to the /web/um_device_set_aliasname endpoint.
|
|||||
| CVE-2024-10116 | 1 Firecask | 1 Twitter Follow Button | 2025-07-15 | N/A | 6.4 MEDIUM |
|
The Twitter Follow Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'username' parameter in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-56475 | 2 Ibm, Linux | 3 Aix, Txseries For Multiplatforms, Linux Kernel | 2025-07-15 | N/A | 5.4 MEDIUM |
|
IBM TXSeries for Multiplatforms 9.1 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2019-16149 | 1 Fortinet | 1 Forticlientems | 2025-07-15 | N/A | 5.5 MEDIUM |
|
An Improper Neutralization of Input During Web Page Generation in FortiClientEMS version 6.2.0 may allow a remote attacker to execute unauthorized code by injecting malicious payload in the user profile of a FortiClient instance being managed by the vulnerable system.
|
|||||
| CVE-2024-58130 | 1 Misp | 1 Misp | 2025-07-15 | N/A | 7.2 HIGH |
|
In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.
|
|||||
| CVE-2025-2711 | 1 Yonyou | 1 Ufida Erp-nc | 2025-07-15 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in Yonyou UFIDA ERP-NC 5.0. It has been classified as problematic. Affected is an unknown function of the file /help/systop.jsp. The manipulation of the argument langcode leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-46953 | 1 Adobe | 1 Experience Manager | 2025-07-15 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed.
|
|||||
| CVE-2025-47110 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-07-15 | N/A | 8.4 HIGH |
|
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed to that of other high-privileged accounts, leading to a high impact on confidentiality, integrity, and ...
Show More |
|||||
| CVE-2024-8907 | 1 Google | 2 Android, Chrome | 2025-07-15 | N/A | 6.1 MEDIUM |
|
Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (XSS) via a crafted set of UI gestures. (Chromium security severity: Medium)
|
|||||
| CVE-2025-5703 | 1 Stageshow Project | 1 Stageshow | 2025-07-15 | N/A | 6.4 MEDIUM |
|
The StageShow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anchor’ parameter in all versions up to, and including, 10.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5568 | 1 Mage-people | 1 Event Manager And Tickets Selling For Woocommerce | 2025-07-15 | N/A | 6.4 MEDIUM |
|
The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-11850 | 1 Langgenius | 1 Dify | 2025-07-15 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG content, which can execute arbitrary JavaScript code when viewed by an admin, potentially leading to credential theft.
|
|||||
| CVE-2024-36697 | 2025-07-15 | N/A | 6.1 MEDIUM | ||
|
A cross-site scripting (XSS) vulnerability in the Admin Login page of Allworx System Software v9.1.9.12 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SessionID parameter at query.asp.
|
|||||
| CVE-2025-53626 | 2025-07-15 | N/A | 6.1 MEDIUM | ||
|
pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1.
|
|||||
| CVE-2025-7435 | 2025-07-15 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability was found in LiveHelperChat lhc-php-resque Extension up to ee1270b35625f552425e32a6a3061cd54b5085c4. It has been classified as problematic. This affects an unknown part of the file /site_admin/lhcphpresque/list/ of the component List Handler. The manipulation of the argument queue name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to p ...
Show More |
|||||
| CVE-2025-6716 | 2025-07-15 | N/A | 6.4 MEDIUM | ||
|
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload[1][title]' parameter in all versions up to, and including, 26.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will ...
Show More |
|||||
| CVE-2025-7672 | 2025-07-15 | N/A | 4.3 MEDIUM | ||
|
The improper default setting in JiranSoft CrossEditor4 on Windows, Linux, Unix (API modules) potentaily allows Stored XSS.
This issue affects CrossEditor4: from 4.0.0.01 before 4.6.0.23.
|
|||||
| CVE-2025-7554 | 2025-07-15 | 3.3 LOW | 2.4 LOW | ||
|
A vulnerability classified as problematic was found in Sapido RB-1802 1.0.32. This vulnerability affects unknown code of the file urlfilter.asp of the component URL Filtering Page. The manipulation of the argument URL address leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-53839 | 2025-07-15 | N/A | 4.0 MEDIUM | ||
|
DRACOON is a file sharing service, and the DRACOON Branding Service allows customers to customize their DRACOON interface with their brand. Versions of the DRACOON Branding Service prior to 2.10.0 are vulnerable to cross-site scripting. Improper neutralization of input from administrative users could inject HTML code into the workflow for newly onboarded users. A fix was made available in version 2.10.0 and rolled out to the DRACOON service. DRACOON customers do not need to take action.
|
|||||
| CVE-2025-7618 | 2025-07-15 | N/A | N/A | ||
|
A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications.
Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier.
|
|||||
| CVE-2025-4369 | 2025-07-15 | N/A | 5.5 MEDIUM | ||
|
The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘update_delay_days’ parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_h ...
Show More |
|||||
| CVE-2025-7367 | 2025-07-15 | N/A | 6.4 MEDIUM | ||
|
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-7569 | 2025-07-15 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability was found in Bigotry OneBase up to 1.3.6. It has been declared as problematic. Affected by this vulnerability is the function parse_args of the file /tpl/think_exception.tpl. The manipulation of the argument args leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-53834 | 2025-07-15 | N/A | 6.3 MEDIUM | ||
|
Caido is a web security auditing toolkit. A reflected cross-site scripting (XSS) vulnerability was discovered in Caido’s toast UI component in versions prior to 0.49.0. Toast messages may reflect unsanitized user input in certain tools such as Match&Replace and Scope. This could allow an attacker to craft input that results in arbitrary script execution. Version 0.49.0 fixes the issue.
|
|||||
| CVE-2025-7380 | 2025-07-15 | N/A | N/A | ||
|
A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user's session, potentially accessing session cookies or other sensitive data.
Af ...
Show More |
|||||
| CVE-2025-7567 | 2025-07-15 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was found in ShopXO up to 6.5.0 and classified as problematic. This issue affects some unknown processing of the file header.html. The manipulation of the argument lang/system_type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-53865 | 2025-07-15 | N/A | 6.4 MEDIUM | ||
|
In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).
|
|||||
| CVE-2025-20250 | 1 Cisco | 1 Webex Meetings | 2025-07-14 | N/A | 6.1 MEDIUM |
|
A vulnerability in Cisco Webex could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack.
A vulnerability is due to improper filtering of user-supplied input. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to conduct a cross-site scripting attack against the targeted user.
|
|||||
| CVE-2025-20247 | 1 Cisco | 1 Webex Meetings | 2025-07-14 | N/A | 6.1 MEDIUM |
|
A vulnerability in Cisco Webex could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack.
A vulnerability is due to improper filtering of user-supplied input. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to conduct a cross-site scripting attack against the targeted user.
|
|||||
| CVE-2025-20246 | 1 Cisco | 1 Webex Meetings | 2025-07-14 | N/A | 6.1 MEDIUM |
|
A vulnerability in Cisco Webex could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack.
A vulnerability is due to improper filtering of user-supplied input. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to conduct a cross-site scripting attack against the targeted user.
|
|||||
| CVE-2024-53679 | 1 Apache | 1 Vcl | 2025-07-14 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights.
This issue affects all versions of Apache VCL through 2.5.1.
Users are recommended to upgrade to version 2.5.2, which fixes the issue.
|
|||||