Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13874 | 1 Feedify | 1 Web Push Notifications | 2025-04-30 | N/A | 7.1 HIGH |
|
The Feedify WordPress plugin before 2.4.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2025-25776 | 1 Codeastro | 1 Bus Ticket Booking System | 2025-04-30 | N/A | 5.0 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability exists in the User Registration and User Profile features of Codeastro Bus Ticket Booking System v1.0 allows an attacker to execute arbitrary code into the Full Name and Address fields during user registration or profile editing.
|
|||||
| CVE-2025-0627 | 1 Taxopress | 1 Taxopress | 2025-04-30 | N/A | 3.5 LOW |
|
The WordPress Tag, Category, and Taxonomy Manager WordPress plugin before 3.30.0 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2022-45387 | 1 Jenkins | 1 Bart | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2022-43119 | 1 Csphere | 1 Clansphere | 2025-04-30 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Clansphere CMS v2011.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username parameter.
|
|||||
| CVE-2021-25926 | 1 Sickrage | 1 Sickrage | 2025-04-30 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In SiCKRAGE, versions 9.3.54.dev1 to 10.0.11.dev1 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly in the `quicksearch` feature. Therefore, an attacker can steal a user's sessionID to masquerade as a victim user, to carry out any actions in the context of the user.
|
|||||
| CVE-2021-25925 | 1 Sickrage | 1 Sickrage | 2025-04-30 | 3.5 LOW | 5.4 MEDIUM |
|
in SiCKRAGE, versions 4.2.0 to 10.0.11.dev1 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly when processed by the server. Therefore, an attacker can inject arbitrary JavaScript code inside the application, and possibly steal a user’s sensitive information.
|
|||||
| CVE-2021-25921 | 1 Open-emr | 1 Openemr | 2025-04-30 | 3.5 LOW | 5.4 MEDIUM |
|
In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit.
|
|||||
| CVE-2021-25919 | 1 Open-emr | 1 Openemr | 2025-04-30 | 3.5 LOW | 4.8 MEDIUM |
|
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
|
|||||
| CVE-2021-25918 | 1 Open-emr | 1 Openemr | 2025-04-30 | 3.5 LOW | 4.8 MEDIUM |
|
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
|
|||||
| CVE-2021-25917 | 1 Open-emr | 1 Openemr | 2025-04-30 | 3.5 LOW | 4.8 MEDIUM |
|
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
|
|||||
| CVE-2025-3823 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file add-stock.php. The manipulation of the argument txttotalcost/txtproductID/txtprice/txtexpirydate leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3824 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this vulnerability is an unknown functionality of the file add-product.php. The manipulation of the argument txtprice/txtproduct_name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3825 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this issue is some unknown functionality of the file add-category.php. The manipulation of the argument txtcategory_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3826 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part of the file add-supplier.php. The manipulation of the argument txtsupplier_name/txtaddress leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-52459 | 2025-04-30 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chameleoni.Com Chameleoni Jobs chameleon-jobs allows Reflected XSS.This issue affects Chameleoni Jobs: from n/a through 2.5.4.
|
|||||
| CVE-2022-30768 | 1 Zoneminder | 1 Zoneminder | 2025-04-30 | N/A | 5.4 MEDIUM |
|
A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin (or non-Admin users that can see other users logged into the platform) clicks on Logout. NOTE: this exists in later versions than CVE-2019-7348 and requires a different attack method.
|
|||||
| CVE-2024-26473 | 1 Msaad1999 | 1 Klik Socialmediawebsite | 2025-04-30 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in SocialMediaWebsite v1.0.1 allows attackers to inject malicious JavaScript into the web browser of a victim via the poll parameter in poll.php.
|
|||||
| CVE-2024-26472 | 1 Msaad1999 | 1 Klik Socialmediawebsite | 2025-04-30 | N/A | 6.1 MEDIUM |
|
KLiK SocialMediaWebsite version 1.0.1 from msaad1999 has a reflected cross-site scripting (XSS) vulnerability which may allow remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'selector' or 'validator' parameters of 'create-new-pwd.php'.
|
|||||
| CVE-2024-26471 | 1 Msaad1999 | 1 Klik Socialmediawebsite | 2025-04-30 | N/A | 5.4 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in zhimengzhe iBarn v1.5 allows attackers to inject malicious JavaScript into the web browser of a victim via the search parameter in offer.php.
|
|||||
| CVE-2024-42769 | 1 Jayesh | 1 Hotel Management System | 2025-04-30 | N/A | 6.1 MEDIUM |
|
A Reflected Cross Site Scripting (XSS) vulnerability was found in "/core/signup_user.php " of Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "user_fname" and "user_lname" parameters.
|
|||||
| CVE-2024-42770 | 1 Jayesh | 1 Hotel Management System | 2025-04-30 | N/A | 4.7 MEDIUM |
|
A Stored Cross Site Scripting (XSS) vulnerability was found in "/core/signup_user.php" of Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via the "user_email" parameter.
|
|||||
| CVE-2024-42771 | 1 Jayesh | 1 Hotel Management System | 2025-04-30 | N/A | 4.8 MEDIUM |
|
A Stored Cross Site Scripting (XSS) vulnerability was found in " /admin/edit_room_controller.php" of the Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "room_name" parameter.
|
|||||
| CVE-2025-43954 | 1 Quasar | 1 Qmarkdown | 2025-04-30 | N/A | 4.9 MEDIUM |
|
QMarkdown (aka quasar-ui-qmarkdown) before 2.0.5 allows XSS via headers even when when no-html is set.
|
|||||
| CVE-2024-29644 | 1 Dcatadmin | 1 Dcat Admin | 2025-04-30 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in dcat-admin v.2.1.3 and before allows a remote attacker to execute arbitrary code via a crafted script to the user login box.
|
|||||
| CVE-2024-32391 | 1 Maccms | 1 Maccms | 2025-04-30 | N/A | 7.3 HIGH |
|
Cross Site Scripting vulnerability in MacCMS v.10 v.2024.1000.3000 allows a remote attacker to execute arbitrary code via a crafted payload.
|
|||||
| CVE-2024-30890 | 1 Ed01-cms Project | 1 Ed01-cms | 2025-04-30 | N/A | 4.7 MEDIUM |
|
Cross Site Scripting vulnerability in ED01-CMS v.1.0 allows an attacker to obtain sensitive information via the categories.php component.
|
|||||
| CVE-2024-31574 | 1 Twcms | 1 Twcms | 2025-04-30 | N/A | 5.0 MEDIUM |
|
Cross Site Scripting vulnerability in TWCMS v.2.6 allows a local attacker to execute arbitrary code via a crafted script
|
|||||
| CVE-2024-37764 | 1 Machform | 1 Machform | 2025-04-30 | N/A | 5.4 MEDIUM |
|
MachForm up to version 19 is affected by an authenticated stored cross-site scripting.
|
|||||
| CVE-2024-37763 | 1 Machform | 1 Machform | 2025-04-30 | N/A | 5.4 MEDIUM |
|
MachForm up to version 19 is affected by an unauthenticated stored cross-site scripting which affects users with valid sessions whom can view compiled forms results.
|
|||||
| CVE-2025-46228 | 1 Avecnous | 1 Event Post | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bastien Ho Event post allows DOM-Based XSS. This issue affects Event post: from n/a through 5.9.11.
|
|||||
| CVE-2025-46229 | 1 Textmetrics | 1 Textmetrics | 2025-04-30 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Israpil Textmetrics allows Stored XSS. This issue affects Textmetrics: from n/a through 3.6.2.
|
|||||
| CVE-2025-46233 | 1 Sirv | 1 Sirv | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sirv CDN and Image Hosting Sirv allows Stored XSS. This issue affects Sirv: from n/a through 7.5.3.
|
|||||
| CVE-2024-52944 | 1 Veritas | 1 Enterprise Vault | 2025-04-30 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24698. It allows an authenticated remote attacker to inject a parameter into an HTTP request, allowing for Cross-Site Scripting while viewing archived content. This could reflect back to an authenticated user without sanitization if executed by that user.
|
|||||
| CVE-2024-52943 | 1 Veritas | 1 Enterprise Vault | 2025-04-30 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24697. It allows an authenticated remote attacker to inject a parameter into an HTTP request, allowing for Cross-Site Scripting (XSS) while viewing archived content. This could reflect back to an authenticated user without sanitization if executed by that user.
|
|||||
| CVE-2024-52942 | 1 Veritas | 1 Enterprise Vault | 2025-04-30 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24696. It allows an authenticated remote attacker to inject a parameter into an HTTP request, allowing for Cross-Site Scripting (XSS) while viewing archived content. This could reflect back to an authenticated user without sanitization if executed by that user.
|
|||||
| CVE-2025-46235 | 1 Sktthemes | 1 Skt Blocks | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 2.0.
|
|||||
| CVE-2022-45401 | 1 Jenkins | 1 Associated Files | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
|
|||||
| CVE-2022-44073 | 1 Tribalsystems | 1 Zenario | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts.
|
|||||
| CVE-2022-44071 | 1 Tribalsystems | 1 Zenario | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Zenario CMS 9.3.57186 is is vulnerable to Cross Site Scripting (XSS) via profile.
|
|||||