Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25620 | 1 Changeweb | 1 Unifiedtransform | 2025-06-23 | N/A | 5.4 MEDIUM |
|
Unifiedtransform 2.0 is vulnerable to Cross Site Scripting (XSS) in the Create assignment function.
|
|||||
| CVE-2025-2123 | 1 Qbnz | 1 Geshi | 2025-06-23 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in GeSHi up to 1.0.9.1. Affected by this issue is the function get_var of the file /contrib/cssgen.php of the component CSS Handler. The manipulation of the argument default-styles/keywords-1/keywords-2/keywords-3/keywords-4/comments leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-43378 | 1 Digitaldruid | 1 Hoteldruid | 2025-06-23 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the commento1_1 parameter.
|
|||||
| CVE-2024-4256 | 1 Techkshetrainfo | 1 Savsoft Quiz | 2025-06-23 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in Techkshetra Info Solutions Savsoft Quiz 6.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /public/index.php/Qbank/editCategory of the component Category Page. The manipulation of the argument category_name with the input ><script>alert('XSS')</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is ...
Show More |
|||||
| CVE-2024-54779 | 1 Netgate | 2 Pfsense Ce, Pfsense Plus | 2025-06-23 | N/A | 5.4 MEDIUM |
|
Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross Site Scripting (XSS) in widgets/log.widget.php.
|
|||||
| CVE-2024-57273 | 1 Netgate | 2 Pfsense Ce, Pfsense Plus | 2025-06-23 | N/A | 5.4 MEDIUM |
|
Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized "reason" field and a derivable device key generated from the public SSH key.
|
|||||
| CVE-2025-45002 | 1 Codervivek | 1 Vigybag | 2025-06-23 | N/A | 5.4 MEDIUM |
|
Vigybag v1.0 and before is vulnerable to Cross Site Scripting (XSS) via the upload profile picture function under my profile.
|
|||||
| CVE-2025-46096 | 1 Noear | 1 Solon | 2025-06-23 | N/A | 6.1 MEDIUM |
|
Directory Traversal vulnerability in solon v.3.1.2 allows a remote attacker to conduct XSS attacks via the solon-faas-luffy component
|
|||||
| CVE-2025-28102 | 1 Dogukanurker | 1 Flaskblog | 2025-06-23 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost.
|
|||||
| CVE-2024-24136 | 1 Remyandrade | 1 Math Game | 2025-06-20 | N/A | 6.1 MEDIUM |
|
The 'Your Name' field in the Submit Score section of Sourcecodester Math Game with Leaderboard v1.0 is vulnerable to Cross-Site Scripting (XSS) attacks.
|
|||||
| CVE-2024-23905 | 1 Jenkins | 1 Red Hat Dependency Analytics | 2025-06-20 | N/A | 5.4 MEDIUM |
|
Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
|
|||||
| CVE-2024-23183 | 1 Appleple | 1 A-blog Cms | 2025-06-20 | N/A | 5.4 MEDIUM |
|
Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute an arbitrary script on the logged-in user's web browser.
|
|||||
| CVE-2024-23181 | 1 Appleple | 1 A-blog Cms | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the logged-in user's web browser.
|
|||||
| CVE-2024-23032 | 1 Eyoucms | 1 Eyoucms | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in num parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
|
|||||
| CVE-2024-22635 | 1 Webcalendar Project | 1 Webcalendar | 2025-06-20 | N/A | 6.1 MEDIUM |
|
WebCalendar v1.3.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /WebCalendarvqsmnseug2/edit_entry.php.
|
|||||
| CVE-2024-22570 | 1 Njtech | 1 Greencms | 2025-06-20 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in /install.php?m=install&c=index&a=step3 of GreenCMS v2.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2023-7089 | 1 Benjaminzekavica | 1 Easy Svg Support | 2025-06-20 | N/A | 5.4 MEDIUM |
|
The Easy SVG Allow WordPress plugin through 1.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
|
|||||
| CVE-2023-6278 | 1 Biteship | 1 Biteship | 2025-06-20 | N/A | 6.1 MEDIUM |
|
The Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo WordPress plugin before 2.2.25 does not sanitise and escape the biteship_error and biteship_message parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-37571 | 1 Softing | 1 Th Scope | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Softing TH SCOPE through 3.70 allows XSS.
|
|||||
| CVE-2023-33758 | 1 Splicecom | 1 Maximiser Soft Pbx | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Splicecom Maximiser Soft PBX v1.5 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the CLIENT_NAME and DEVICE_GUID fields in the login component.
|
|||||
| CVE-2021-43635 | 1 Codexnotes | 1 Codex | 2025-06-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4.0 via Notebook/Page name field, which allows malicious users to execute arbitrary code via a crafted http code in a .json file.
|
|||||
| CVE-2024-22549 | 1 Flycms Project | 1 Flycms | 2025-06-20 | N/A | 5.4 MEDIUM |
|
FlyCms 1.0 is vulnerable to Cross Site Scripting (XSS) in the email settings of the website settings section.
|
|||||
| CVE-2024-0606 | 1 Mozilla | 1 Firefox Focus | 2025-06-20 | N/A | 6.1 MEDIUM |
|
An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.
|
|||||
| CVE-2023-52330 | 1 Trendmicro | 1 Apex One | 2025-06-20 | N/A | 6.1 MEDIUM |
|
A cross-site scripting vulnerability in Trend Micro Apex Central could allow a remote attacker to execute arbitrary code on affected installations of Trend Micro Apex Central.
Please note: user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
|
|||||
| CVE-2023-51946 | 1 Actidata | 2 Actinas Sl 2u-8 Rdx, Actinas Sl 2u-8 Rdx Firmware | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Multiple reflected cross-site scripting (XSS) vulnerabilities in nasSvr.php in actidata actiNAS-SL-2U-8 3.2.03-SP1 allow remote attackers to inject arbitrary web script or HTML.
|
|||||
| CVE-2023-41176 | 1 Trendmicro | 1 Mobile Security | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker.
Please note, this vulnerability is similar to, but not identical to, CVE-2023-41177.
|
|||||
| CVE-2024-31651 | 1 Oretnom23 | 1 Cosmetics And Beauty Product Online Store | 2025-06-20 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) in Cosmetics and Beauty Product Online Store v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the First Name parameter.
|
|||||
| CVE-2024-55224 | 1 Dani-garcia | 1 Vaultwarden | 2025-06-20 | N/A | 9.6 CRITICAL |
|
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.
|
|||||
| CVE-2024-37776 | 1 Sunbirddcim | 1 Dctrack | 2025-06-20 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Sunbird DCIM dcTrack v9.1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in some admin screens.
|
|||||
| CVE-2024-22714 | 1 Codelyfe | 1 Stupid Simple Cms | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Stupid Simple CMS <=1.2.4 is vulnerable to Cross Site Scripting (XSS) in the editing section of the article content.
|
|||||
| CVE-2024-0233 | 1 Myeventon | 1 Eventon | 2025-06-20 | N/A | 6.1 MEDIUM |
|
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-7084 | 1 Davidjmiller | 1 Voting Record | 2025-06-20 | N/A | 5.4 MEDIUM |
|
The Voting Record WordPress plugin through 2.0 is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks
|
|||||
| CVE-2023-6005 | 1 Myeventon | 1 Eventon | 2025-06-20 | N/A | 4.8 MEDIUM |
|
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-51807 | 1 Ofcms Project | 1 Ofcms | 2025-06-20 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability in OFCMS v.1.14 allows a remote attacker to obtain sensitive information via a crafted payload to the title addition component.
|
|||||
| CVE-2023-48104 | 1 Alinto | 1 Sogo | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.
|
|||||
| CVE-2024-51472 | 1 Ibm | 2 Devops Deploy, Urbancode Deploy | 2025-06-20 | N/A | 3.1 LOW |
|
IBM UrbanCode Deploy (UCD) 7.2 through 7.2.3.13, 7.3 through 7.3.2.8, and IBM DevOps Deploy 8.0 through 8.0.1.3 are vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.
|
|||||
| CVE-2025-21616 | 1 Plane | 1 Plane | 2025-06-20 | N/A | 5.4 MEDIUM |
|
Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
|
|||||
| CVE-2024-50659 | 1 Ipublishmedia | 1 Adportal | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability iPublish Media Solutions AdPortal 3.0.39 allows a remote attacker to escalate privileges via the shippingAsBilling parameter in updateuserinfo.html.
|
|||||
| CVE-2024-23174 | 1 Mediawiki | 1 Mediawiki | 2025-06-20 | N/A | 5.4 MEDIUM |
|
An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message.
|
|||||
| CVE-2024-23171 | 1 Mediawiki | 1 Mediawiki | 2025-06-20 | N/A | 5.4 MEDIUM |
|
An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n).
|
|||||