Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6462 | 1 Dyadyalesha | 1 Dl Yandex Metrika | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The DL Yandex Metrika WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-6478 | 1 Thisfunctional | 1 Ctt Expresso Para Woocommerce | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The CTT Expresso para WooCommerce WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-45194 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 4.8 MEDIUM |
|
In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly ...
Show More |
|||||
| CVE-2025-22996 | 1 Linksys | 2 E5600, E5600 Firmware | 2025-06-11 | N/A | 4.8 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the spf_table_content component of Linksys E5600 Router Ver. 1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the desc parameter.
|
|||||
| CVE-2025-22997 | 1 Linksys | 2 E5600, E5600 Firmware | 2025-06-11 | N/A | 4.8 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the prf_table_content component of Linksys E5600 Router Ver. 1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the desc parameter.
|
|||||
| CVE-2024-13865 | 1 S3bubble | 1 S3player | 2025-06-11 | N/A | 6.1 MEDIUM |
|
The S3Player WordPress plugin through 4.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
|
|||||
| CVE-2024-1663 | 1 Texttheater | 1 Ultimate Noindex Nofollow Tool Ii | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Ultimate Noindex Nofollow Tool II WordPress plugin before 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-2643 | 1 Premio | 1 My Sticky Bar | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.6.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3931 | 1 Totara | 1 Totara | 2025-06-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Totara LMS up to 18.7. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin/roles/check.php of the component User Selector. The manipulation of the argument ID Number leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 and 18.8 is able to address this issue. It is recommended to upgrad ...
Show More |
|||||
| CVE-2024-28725 | 1 Yzmcms | 1 Yzmcms | 2025-06-10 | N/A | 7.1 HIGH |
|
Cross Site Scripting (XSS) vulnerability in YzmCMS 7.0 allows attackers to run arbitrary code via Ads Management, Carousel Management, and System Settings.
|
|||||
| CVE-2025-45755 | 1 Vtiger | 1 Vtiger Crm | 2025-06-10 | N/A | 6.1 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution.
|
|||||
| CVE-2025-5726 | 1 Razormist | 1 Student Result Management System | 2025-06-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /script/academic/division-system of the component Division System Page. The manipulation of the argument Division leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5727 | 1 Razormist | 1 Student Result Management System | 2025-06-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic has been found in SourceCodester Student Result Management System 1.0. This affects an unknown part of the file /script/academic/announcement of the component Announcement Page. The manipulation of the argument Title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5764 | 1 Code-projects | 1 Simple Laundry System | 2025-06-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in code-projects Laundry System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /data/insert_laundry.php. The manipulation of the argument Customer leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5765 | 1 Code-projects | 1 Simple Laundry System | 2025-06-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in code-projects Laundry System 1.0. It has been classified as problematic. This affects an unknown part of the file /data/edit_laundry.php. The manipulation of the argument Customer leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-27719 | 1 Rems | 1 Faq Management System | 2025-06-10 | N/A | 6.1 MEDIUM |
|
A cross site scripting (XSS) vulnerability in rems FAQ Management System v.1.0 allows a remote attacker to obtain sensitive information via a crafted payload to the Frequently Asked Question field in the Add FAQ function.
|
|||||
| CVE-2024-48228 | 1 Funadmin | 1 Funadmin | 2025-06-10 | N/A | 6.1 MEDIUM |
|
An issue was found in funadmin 5.0.2. The selectfiles method in \backend\controller\sys\Attachh.php directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting (XSS).
|
|||||
| CVE-2024-35110 | 1 Yzmcms | 1 Yzmcms | 2025-06-10 | N/A | 5.5 MEDIUM |
|
A reflected XSS vulnerability has been found in YzmCMS 7.1. The vulnerability exists in yzmphp/core/class/application.class.php: when logged-in users access a malicious link, their cookies can be captured by an attacker.
|
|||||
| CVE-2024-33300 | 1 Typora | 1 Typora | 2025-06-10 | N/A | 7.3 HIGH |
|
Typora v1.0.0 through v1.7 version (below) Markdown editor has a cross-site scripting (XSS) vulnerability, which allows attackers to execute arbitrary code by uploading Markdown files.
|
|||||
| CVE-2024-34401 | 1 Techkshetrainfo | 1 Savsoft Quiz | 2025-06-10 | N/A | 6.1 MEDIUM |
|
Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ quiz_name parameter.
|
|||||
| CVE-2024-34462 | 1 Alinto | 1 Sogo | 2025-06-10 | N/A | 6.1 MEDIUM |
|
Alinto SOGo through 5.10.0 allows XSS during attachment preview.
|
|||||
| CVE-2024-4090 | 1 Premio | 1 My Sticky Bar | 2025-06-10 | N/A | 4.8 MEDIUM |
|
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-6272 | 1 10web | 1 Spidercontacts | 2025-06-10 | N/A | 6.1 MEDIUM |
|
The SpiderContacts WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-6536 | 1 Dylanjkotze | 1 Zephyr Project Manager | 2025-06-10 | N/A | 5.4 MEDIUM |
|
The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-4217 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2025-06-10 | N/A | 4.7 MEDIUM |
|
The shortcodes-ultimate-pro WordPress plugin before 7.1.5 does not properly escape some of its shortcodes' settings, making it possible for attackers with a Contributor account to conduct Stored XSS attacks.
|
|||||
| CVE-2024-0974 | 1 Bmwebproperties | 1 Social Media Widget | 2025-06-10 | N/A | 4.8 MEDIUM |
|
The Social Media Widget WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2025-5721 | 1 Razormist | 1 Student Result Management System | 2025-06-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in SourceCodester Student Result Management System 1.0. This affects an unknown part of the file /script/academic/core/update_profile of the component Profile Setting Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-47702 | 1 Oembed Providers Project | 1 Oembed Providers | 2025-06-10 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal oEmbed Providers allows Cross-Site Scripting (XSS).This issue affects oEmbed Providers: from 0.0.0 before 2.2.2.
|
|||||
| CVE-2025-47703 | 1 Cookies Consent Manager Project | 1 Cookies Coonsent Manager | 2025-06-10 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.14.
|
|||||
| CVE-2024-30951 | 1 Fudforum | 1 Fudforum | 2025-06-10 | N/A | 6.1 MEDIUM |
|
FUDforum v3.1.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the chpos parameter at /adm/admsmiley.php.
|
|||||
| CVE-2024-30950 | 1 Fudforum | 1 Fudforum | 2025-06-10 | N/A | 3.5 LOW |
|
A stored cross-site scripting (XSS) vulnerability in FUDforum v3.1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SQL statements field under /adm/admsql.php.
|
|||||
| CVE-2025-47704 | 1 Klaro Cookie \& Consent Management Project | 1 Klaro Cookie \& Consent Management | 2025-06-10 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie & Consent Management: from 0.0.0 before 3.0.5.
|
|||||
| CVE-2025-46173 | 1 Code-projects | 1 Online Exam Mastering System | 2025-06-10 | N/A | 6.1 MEDIUM |
|
code-projects Online Exam Mastering System 1.0 is vulnerable to Cross Site Scripting (XSS) via the name field in the feedback form.
|
|||||
| CVE-2025-5584 | 1 Anujk305 | 1 Hospital Management System | 2025-06-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in PHPGurukul Hospital Management System 4.0. It has been classified as problematic. Affected is an unknown function of the file /doctor/edit-patient.php?editid=2 of the component POST Parameter Handler. The manipulation of the argument patname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-31136 | 1 Freshrss | 1 Freshrss | 2025-06-10 | N/A | 6.7 MEDIUM |
|
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the feeds page.
This occurs by combining a cross-site scripting (XSS) issue that occurs in `f.php` when SVG favicons are downloaded from an attacker-controlled feed containing `<script>` tags inside of them that aren't sanitized, with the lack of CSP in `f.php` by embedding the malicious favicon in an iframe (that has `sandbox="allow-scripts allow-same-origin"` set as its attribut ...
Show More |
|||||
| CVE-2025-5722 | 1 Munyweki | 1 Student Result Management System | 2025-06-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability has been found in SourceCodester Student Result Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /script/academic/terms of the component Add Academic Term. The manipulation of the argument Academic Term leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5723 | 1 Munyweki | 1 Student Result Management System | 2025-06-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in SourceCodester Student Result Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /script/academic/classes of the component Classes Page. The manipulation of the argument Class Name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5724 | 1 Munyweki | 1 Student Result Management System | 2025-06-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /script/academic/subjects of the component Subjects Page. The manipulation of the argument Subject leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5725 | 1 Munyweki | 1 Student Result Management System | 2025-06-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /script/academic/grading-system of the component Grading System Page. The manipulation of the argument Remark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-46471 | 1 Spaceapplications | 1 Yacms | 2025-06-10 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability in Space Applications Services Yamcs v.5.8.6 allows a remote attacker to execute arbitrary code via the text variable scriptContainer of the ScriptViewer.
|
|||||