Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49540 | 1 Adobe | 1 Coldfusion | 2025-07-11 | N/A | 4.3 MEDIUM |
|
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses.
|
|||||
| CVE-2024-52290 | 1 Lfedge | 1 Ekuiper | 2025-07-11 | N/A | 6.3 MEDIUM |
|
LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.
|
|||||
| CVE-2025-6778 | 1 Fabian | 1 Food Distributor Site | 2025-07-11 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in code-projects Food Distributor Site 1.0. Affected is an unknown function of the file /admin/save_settings.php. The manipulation of the argument site_phone/site_email/address leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6569 | 1 Fabian | 1 School Fees Payment System | 2025-07-11 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic was found in code-projects School Fees Payment System 1.0. Affected by this vulnerability is an unknown functionality of the file /student.php. The manipulation of the argument sname/contact/about/emailid/transcation_remark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-36580 | 1 Dell | 1 Wyse Management Suite | 2025-07-11 | N/A | 6.1 MEDIUM |
|
Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection
|
|||||
| CVE-2025-36577 | 1 Dell | 1 Wyse Management Suite | 2025-07-11 | N/A | 6.1 MEDIUM |
|
Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection.
|
|||||
| CVE-2024-12120 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-07-11 | N/A | 5.4 MEDIUM |
|
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-39361 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-07-11 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.7.1017.
|
|||||
| CVE-2025-46825 | 1 Kanboard | 1 Kanboard | 2025-07-11 | N/A | 5.4 MEDIUM |
|
Kanboard is project management software that focuses on the Kanban methodology. Versions 1.2.26 through 1.2.44 have a Stored Cross-Site Scripting (XSS) Vulnerability in the `name` parameter of the `http://localhost/?controller=ProjectCreationController&action=create` form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. Note that the default content security policy (CSP) blocks the JavaScript attack, though it can be exploited if an instance ...
Show More |
|||||
| CVE-2025-5125 | 1 Howardehrenberg | 1 Custom Post Carousels With Owl | 2025-07-11 | N/A | 4.8 MEDIUM |
|
The Custom Post Carousels with Owl WordPress plugin before 1.4.12 uses the featherlight library and makes use of the data-featherlight attribute without sanitizing before using it.
|
|||||
| CVE-2025-48700 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-07-11 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vecto ...
Show More |
|||||
| CVE-2025-5488 | 1 Kaushik07 | 1 Wp Masonry \& Infinite Scroll | 2025-07-11 | N/A | 6.4 MEDIUM |
|
The WP Masonry & Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wmis' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5540 | 1 Emarketdesign | 1 Event Rsvp And Simple Event Management | 2025-07-11 | N/A | 6.4 MEDIUM |
|
The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-22249 | 1 Vmware | 3 Aria Automation, Cloud Foundation, Telco Cloud Platform | 2025-07-11 | N/A | 8.2 HIGH |
|
VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.
|
|||||
| CVE-2025-6676 | 1 Gbyte | 1 Simple Xml Sitemap | 2025-07-11 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple XML sitemap allows Cross-Site Scripting (XSS).This issue affects Simple XML sitemap: from 0.0.0 before 4.2.2.
|
|||||
| CVE-2025-6677 | 1 Paragraphs Table Project | 1 Paragraphs Table | 2025-07-11 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Paragraphs table allows Cross-Site Scripting (XSS).This issue affects Paragraphs table: from 2.0.0 before 2.0.5.
|
|||||
| CVE-2024-6480 | 1 Shopitpress | 1 Sip Reviews Shortcode For Woocommerce | 2025-07-11 | N/A | 6.4 MEDIUM |
|
The SIP Reviews Shortcode for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'no_of_reviews' attribute in the woocommerce_reviews shortcode in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected ...
Show More |
|||||
| CVE-2024-48059 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2025-07-11 | N/A | 6.1 MEDIUM |
|
gaizhenbiao/chuanhuchatgpt project, version <=20240802 is vulnerable to stored Cross-Site Scripting (XSS) in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's browser.
|
|||||
| CVE-2024-10683 | 1 Wpplugin | 1 Paypal \& Stripe Add-on | 2025-07-11 | N/A | 6.1 MEDIUM |
|
The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when the leave a review not ...
Show More |
|||||
| CVE-2024-9614 | 1 Mailmunch | 1 Constant Contact Forms | 2025-07-11 | N/A | 6.1 MEDIUM |
|
The Constant Contact Forms by MailMunch plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-32526 | 1 Zephyr-one | 1 Zephyr Project Manager | 2025-07-11 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS. This issue affects Zephyr Project Manager: from n/a through 3.3.101.
|
|||||
| CVE-2025-6347 | 1 Fabian | 1 Responsive Blog Site | 2025-07-11 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in code-projects Responsive Blog 1.0/1.12.4/3.3.4. It has been declared as problematic. This vulnerability affects unknown code of the file /responsive/resblog/blogadmin/admin/pageViewMembers.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6353 | 1 Fabian | 1 Responsive Blog Site | 2025-07-11 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in code-projects Responsive Blog 1.0. Affected by this vulnerability is an unknown functionality of the file /search.php. The manipulation of the argument keyword leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-57240 | 1 Apryse | 1 Webviewer | 2025-07-10 | N/A | 5.4 MEDIUM |
|
A Cross-Site Scripting (XSS) vulnerability in the Rendering Engine component in Apryse WebViewer v11.1 and earlier allows attackers to execute arbitrary code via a crafted PDF file.
|
|||||
| CVE-2025-53525 | 1 Wegia | 1 Wegia | 2025-07-10 | N/A | 6.1 MEDIUM |
|
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the profile_familiar.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_dependente parameter. This vulnerability is fixed in 3.4.3.
|
|||||
| CVE-2025-53526 | 1 Wegia | 1 Wegia | 2025-07-10 | N/A | 6.1 MEDIUM |
|
WeGIA is a web manager for charitable institutions. An XSS Injection vulnerability was identified in novo_memorando.php.
After the memo was submitted, the vulnerability was confirmed by accessing listar_memorandos_antigos.php. Upon loading this page, the injected script was executed in the browser. This vulnerability is fixed in 3.4.3.
|
|||||
| CVE-2024-44081 | 1 8x8 | 1 Jitsi Meet | 2025-07-10 | N/A | 9.8 CRITICAL |
|
In Jitsi Meet before 2.0.9779, the functionality to share a video file was implemented in an insecure way, resulting in clients loading videos from an arbitrary URL if a message from another participant contains a URL encoded in the expected format.
|
|||||
| CVE-2024-44080 | 1 8x8 | 1 Jitsi Meet | 2025-07-10 | N/A | 7.5 HIGH |
|
In Jitsi Meet before 2.0.9779, the functionality to share an image using giphy was implemented in an insecure way, resulting in clients loading GIFs from any arbitrary URL if a message from another participant contains a URL encoded in the expected format.
|
|||||
| CVE-2024-48036 | 1 Sktthemes | 1 Skt Blocks | 2025-07-10 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SKT Themes SKT Blocks – Gutenberg based Page Builder allows Stored XSS.This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 1.6.
|
|||||
| CVE-2024-10181 | 1 Tribulant | 1 Newsletters | 2025-07-10 | N/A | 6.4 MEDIUM |
|
The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2337 | 1 Goldplugins | 1 Easy Testimonials | 2025-07-10 | N/A | 6.4 MEDIUM |
|
The Easy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'testimonials_grid ' shortcode in all versions up to, and including, 3.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-5902 | 1 Monsterinsights | 1 Userfeedback | 2025-07-10 | N/A | 7.2 HIGH |
|
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name parameter in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in feedback form responses that will execute whenever a high-privileged user tries to view them.
|
|||||
| CVE-2024-35236 | 1 Audiobookshelf | 1 Audiobookshelf | 2025-07-10 | N/A | 4.8 MEDIUM |
|
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.10.0, opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Attacking a user with high privileges (upload, creation of libraries) can lead to remote code execution (RCE) in the worst case. This was tested on version 2.9.0 on Windows, but an arbitrary file write is powerful enough as is and should easily lead to RCE on Linux, too. Version 2.10.0 contains a patch for the v ...
Show More |
|||||
| CVE-2023-48082 | 1 Nagios | 1 Nagios Xi | 2025-07-10 | N/A | 9.1 CRITICAL |
|
Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.
|
|||||
| CVE-2025-27099 | 1 Enalean | 1 Tuleap | 2025-07-10 | N/A | 4.8 MEDIUM |
|
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the tracker names used in the semantic timeframe deletion message. A tracker administrator with a semantic timeframe used by other trackers could use this vulnerability to force other tracker administrators to execute uncontrolled code. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740067916 and Tuleap Enterprise Edition 16.4-5 and 16.3- ...
Show More |
|||||
| CVE-2025-5887 | 1 Jsnjfz | 1 Webstack-guns | 2025-07-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in jsnjfz WebStack-Guns 1.0. It has been classified as problematic. Affected is an unknown function of the file UserMgrController.java of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-10172 | 1 Voidcoders | 1 Wpbakery Visual Composer Whmcs Elements | 2025-07-10 | N/A | 6.4 MEDIUM |
|
The WPBakery Visual Composer WHMCS Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's void_wbwhmcse_laouts_search shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-41380 | 1 Microweber | 1 Microweber | 2025-07-10 | N/A | 6.1 MEDIUM |
|
microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagged.php.
|
|||||
| CVE-2024-41381 | 1 Microweber | 1 Microweber | 2025-07-10 | N/A | 6.1 MEDIUM |
|
microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\settings\admin.php.
|
|||||
| CVE-2024-43346 | 1 Wow-company | 1 Modal Window | 2025-07-10 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wow-Company Modal Window allows Stored XSS.This issue affects Modal Window: from n/a through 6.0.3.
|
|||||