Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52877 | 1 Jetbrains | 1 Teamcity | 2025-06-25 | N/A | 4.8 MEDIUM |
|
In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible
|
|||||
| CVE-2025-52876 | 1 Jetbrains | 1 Teamcity | 2025-06-25 | N/A | 5.4 MEDIUM |
|
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
|
|||||
| CVE-2025-52875 | 1 Jetbrains | 1 Teamcity | 2025-06-25 | N/A | 5.4 MEDIUM |
|
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
|
|||||
| CVE-2025-52879 | 1 Jetbrains | 1 Teamcity | 2025-06-25 | N/A | 4.8 MEDIUM |
|
In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible
|
|||||
| CVE-2025-6473 | 1 Fabian | 1 School Fees Payment System | 2025-06-25 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in code-projects School Fees Payment System 1.0. This affects an unknown part of the file /fees.php. The manipulation of the argument transcation_remark leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6477 | 1 Razormist | 1 Student Result Management System | 2025-06-25 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /script/admin/system of the component System Settings Page. The manipulation of the argument School Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-40124 | 1 Pydio | 1 Pydio | 2025-06-25 | N/A | 5.4 MEDIUM |
|
Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature.
|
|||||
| CVE-2025-48958 | 1 Froxlor | 1 Froxlor | 2025-06-25 | N/A | 5.5 MEDIUM |
|
Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue.
|
|||||
| CVE-2025-4415 | 1 Matomo | 1 Piwik Pro | 2025-06-25 | N/A | 4.8 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Piwik PRO allows Cross-Site Scripting (XSS).This issue affects Piwik PRO: from 0.0.0 before 1.3.2.
|
|||||
| CVE-2025-45754 | 1 Seeddms | 1 Seeddms | 2025-06-25 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in SeedDMS 6.0.32. This vulnerability allows an attacker to inject malicious JavaScript payloads by creating a document with an XSS payload as the document name.
|
|||||
| CVE-2025-45880 | 1 Miliaris | 1 Amygdala | 2025-06-24 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the data resource management function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted payload.
|
|||||
| CVE-2025-45878 | 1 Miliaris | 1 Amygdala | 2025-06-24 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the report manager function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted payload.
|
|||||
| CVE-2024-50637 | 1 Webkul | 1 Unopim | 2025-06-24 | N/A | 5.4 MEDIUM |
|
UnoPim 0.1.3 and below is vulnerable to Cross Site Scripting (XSS) in the Create User function. This allows attackers to perform XSS via an SVG document, which can be used to steal cookies.
|
|||||
| CVE-2023-2142 | 1 Mozilla | 1 Nunjucks | 2025-06-24 | N/A | 6.1 MEDIUM |
|
In Nunjucks versions prior to version 3.2.4, it was
possible to bypass the restrictions which are provided by the autoescape
functionality. If there are two user-controlled parameters on the same
line used in the views, it was possible to inject cross site scripting
payloads using the backslash \ character.
|
|||||
| CVE-2025-3643 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 5.4 MEDIUM |
|
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
|
|||||
| CVE-2025-6126 | 1 Phpgurukul | 1 Rail Pass Management System | 2025-06-24 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /contact.php. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
|
|||||
| CVE-2025-6125 | 1 Phpgurukul | 1 Rail Pass Management System | 2025-06-24 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/aboutus.php. The manipulation of the argument pagedes leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6127 | 1 Phpgurukul | 1 Nipah Virus Testing Management System | 2025-06-24 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search-report.php. The manipulation of the argument serachdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-29280 | 1 Perfree | 1 Perfreeblog | 2025-06-24 | N/A | 4.8 MEDIUM |
|
Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system settings interface allows an attacker to insert and execute arbitrary malicious code.
|
|||||
| CVE-2024-9699 | 1 Flatpress | 1 Flatpress | 2025-06-24 | N/A | 5.4 MEDIUM |
|
A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting (XSS) attack if the uploaded file is accessed by other users. The issue is fixed in version 1.4.dev.
|
|||||
| CVE-2024-13209 | 1 Redaxo | 1 Redaxo | 2025-06-24 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in Redaxo CMS 5.18.1. It has been classified as problematic. Affected is an unknown function of the file /index.php?page=structure&category_id=1&article_id=1&clang=1&function=edit_art&artstart=0 of the component Structure Management Page. The manipulation of the argument Article Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosu ...
Show More |
|||||
| CVE-2024-42898 | 1 Nagios | 1 Nagios Xi | 2025-06-24 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Nagios XI 2024R1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page.
|
|||||
| CVE-2024-55226 | 1 Dani-garcia | 1 Vaultwarden | 2025-06-24 | N/A | 5.4 MEDIUM |
|
Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.
|
|||||
| CVE-2024-51379 | 1 Jatos | 1 Jatos | 2025-06-24 | N/A | 8.4 HIGH |
|
Stored Cross-Site Scripting (XSS) vulnerability discovered in JATOS v3.9.3. The vulnerability exists in the description component of the study section, where an attacker can inject JavaScript into the description field. This allows for the execution of malicious scripts when an admin views the description, potentially leading to account takeover and unauthorized actions.
|
|||||
| CVE-2024-51380 | 1 Jatos | 1 Jatos | 2025-06-24 | N/A | 8.4 HIGH |
|
Stored Cross-Site Scripting (XSS) vulnerability discovered in the Properties Component of JATOS v3.9.3. This flaw allows an attacker to inject malicious JavaScript into the properties section of a study, specifically within the UUID field. When an admin user accesses the study's properties, the injected script is executed in the admin's browser, which could lead to unauthorized actions, including account compromise and privilege escalation.
|
|||||
| CVE-2023-1932 | 2 Hibernate, Redhat | 5 Hibernate-validator, Codeready Studio, Jboss Enterprise Application Platform and 2 more | 2025-06-24 | N/A | 6.1 MEDIUM |
|
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
|
|||||
| CVE-2024-28715 | 1 Html-js | 1 Doracms | 2025-06-24 | N/A | 8.8 HIGH |
|
Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint.
|
|||||
| CVE-2024-40114 | 1 Sitecom | 2 Wlx-2006, Wlx-2006 Firmware | 2025-06-24 | N/A | 6.1 MEDIUM |
|
A Cross Site Scripting (XSS) vulnerability in Sitecom WLX-2006 Wall Mount Range Extender N300 v1.5 and before allows an attacker to manipulate the language cookie to inject malicious JavaScript code.
|
|||||
| CVE-2024-57427 | 1 Phpjabbers | 1 Cinema Booking System | 2025-06-24 | N/A | 6.1 MEDIUM |
|
PHPJabbers Cinema Booking System v2.0 is vulnerable to reflected cross-site scripting (XSS). Multiple endpoints improperly handle user input, allowing malicious scripts to execute in a victim’s browser. Attackers can craft malicious links to steal session cookies or conduct phishing attacks.
|
|||||
| CVE-2024-57428 | 1 Phpjabbers | 1 Cinema Booking System | 2025-06-24 | N/A | 9.3 CRITICAL |
|
A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat number configurations (number[new_X] in pjActionCreate). Attackers can inject persistent JavaScript, leading to phishing, malware injection, and session hijacking.
|
|||||
| CVE-2024-4023 | 1 Flatpress | 1 Flatpress | 2025-06-23 | N/A | 8.1 HIGH |
|
A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML file. This allows an attacker to execute arbitrary JavaScript code, which can be used to steal user cookies, perform HTTP requests, and access content of the same origin.
|
|||||
| CVE-2025-5524 | 2025-06-23 | N/A | 4.9 MEDIUM | ||
|
The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-23169 | 2025-06-23 | N/A | 6.1 MEDIUM | ||
|
The Versa Director SD-WAN orchestration platform allows customization of the user interface, including the header, footer, and logo. However, the input provided for these customizations is not properly validated or sanitized, allowing a malicious user to inject and store cross-site scripting (XSS) payloads.
Exploitation Status:
Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third p ...
Show More |
|||||
| CVE-2025-6268 | 2025-06-23 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability classified as problematic has been found in Luna Imaging up to 7.5.5.6. Affected is an unknown function of the file /luna/servlet/view/search. The manipulation of the argument q leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-50183 | 2025-06-23 | N/A | 6.5 MEDIUM | ||
|
OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability. This issue has been patched in version 4.0.0-rc.4.
|
|||||
| CVE-2025-6201 | 2025-06-23 | N/A | 6.4 MEDIUM | ||
|
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user ac ...
Show More |
|||||
| CVE-2025-50027 | 2025-06-23 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xootix Login/Signup Popup allows Stored XSS. This issue affects Login/Signup Popup: from n/a through 2.9.4.
|
|||||
| CVE-2025-50041 | 2025-06-23 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Engine Gutenberg Blocks – ACF Blocks Suite allows Stored XSS. This issue affects Gutenberg Blocks – ACF Blocks Suite: from n/a through 2.6.11.
|
|||||
| CVE-2025-50020 | 2025-06-23 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nitin Yawalkar RDFa Breadcrumb allows Stored XSS. This issue affects RDFa Breadcrumb: from n/a through 2.3.
|
|||||
| CVE-2025-50012 | 2025-06-23 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fridaysystems Inventory Presser allows Stored XSS. This issue affects Inventory Presser: from n/a through 15.0.0.
|
|||||