Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-44070 | 1 Tribalsystems | 1 Zenario | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.
|
|||||
| CVE-2022-44069 | 1 Tribalsystems | 1 Zenario | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via the Nest library module.
|
|||||
| CVE-2022-44002 | 1 Backclick | 1 Backclick | 2025-04-30 | N/A | 6.1 MEDIUM |
|
An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient output encoding of user-supplied data, the web application is vulnerable to cross-site scripting (XSS) at various locations.
|
|||||
| CVE-2022-43692 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | N/A | 6.1 MEDIUM |
|
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
|
|||||
| CVE-2022-43342 | 1 Eramba | 1 Eramba | 2025-04-30 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Add function of Eramba GRC Software c2.8.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the KPI Title text field.
|
|||||
| CVE-2022-43263 | 1 Guitar-pro | 1 Guitar Pro | 2025-04-30 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the name of an uploaded file.
|
|||||
| CVE-2022-42960 | 1 Equalweb | 1 Equalweb Accessibility Widget | 2025-04-30 | N/A | 5.4 MEDIUM |
|
EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.10, 3.0.0, 3.0.1, 3.0.2, 4.0.0, and 4.0.1 allows DOM XSS due to improper validation of message events to accessibility.js.
|
|||||
| CVE-2022-3631 | 1 Digitialpixies | 1 Oauth Client | 2025-04-30 | N/A | 4.8 MEDIUM |
|
The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
|
|||||
| CVE-2022-3578 | 1 Metagauss | 1 Profilegrid | 2025-04-30 | N/A | 6.1 MEDIUM |
|
The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-3484 | 1 Wpb Show Core Project | 1 Wpb Show Core | 2025-04-30 | N/A | 6.1 MEDIUM |
|
The WPB Show Core WordPress plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
|
|||||
| CVE-2022-38146 | 1 Silverstripe | 1 Framework | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).
|
|||||
| CVE-2025-46237 | 1 Ylefebvre | 1 Link Library | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yannick Lefebvre Link Library allows Stored XSS. This issue affects Link Library: from n/a through 7.8.
|
|||||
| CVE-2025-30149 | 1 Open-emr | 1 Openemr | 2025-04-30 | N/A | 6.4 MEDIUM |
|
OpenEMR is a free and open source electronic health records and medical practice management application. OpenEMR allows reflected cross-site scripting (XSS) in the AJAX Script interface\super\layout_listitems_ajax.php via the target parameter. This vulnerability is fixed in 7.0.3.
|
|||||
| CVE-2025-1524 | 1 Davidvongries | 1 Ultimate Dashboard | 2025-04-30 | N/A | 3.5 LOW |
|
The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-1525 | 1 Davidvongries | 1 Ultimate Dashboard | 2025-04-30 | N/A | 3.5 LOW |
|
The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-46238 | 1 Rolandbaer | 1 List Last Changes | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer List Last Changes allows Stored XSS. This issue affects List Last Changes: from n/a through 1.2.1.
|
|||||
| CVE-2025-46250 | 1 Vikasratudi | 1 Lifetime Free Drag \& Drop Contact Form Builder | 2025-04-30 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VForm allows Stored XSS. This issue affects VForm: from n/a through 3.1.14.
|
|||||
| CVE-2022-45380 | 1 Jenkins | 1 Junit | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
|
|||||
| CVE-2022-43694 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | N/A | 6.1 MEDIUM |
|
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output.
|
|||||
| CVE-2022-42954 | 1 Keyfactor | 1 Kefactor Ejbca | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Keyfactor EJBCA before 7.10.0 allows XSS.
|
|||||
| CVE-2022-42119 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8.
|
|||||
| CVE-2022-36432 | 1 Amasty | 1 Blog Pro | 2025-04-30 | N/A | 5.4 MEDIUM |
|
The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response.
|
|||||
| CVE-2025-46253 | 1 Wpmet | 1 Gutenkit | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit allows Stored XSS. This issue affects GutenKit: from n/a through 2.2.2.
|
|||||
| CVE-2025-46254 | 1 Visualcomposer | 1 Visual Composer Website Builder | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder allows Stored XSS. This issue affects Visual Composer Website Builder: from n/a through 45.10.0.
|
|||||
| CVE-2022-45382 | 1 Jenkins | 1 Naginator | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.
|
|||||
| CVE-2025-3457 | 1 Oceanwp | 1 Ocean Extra | 2025-04-30 | N/A | 6.4 MEDIUM |
|
The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3458 | 1 Oceanwp | 1 Ocean Extra | 2025-04-30 | N/A | 6.4 MEDIUM |
|
The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerabi ...
Show More |
|||||
| CVE-2025-25431 | 1 Trendnet | 2 Tew-929dru, Tew-929dru Firmware | 2025-04-30 | N/A | 4.8 MEDIUM |
|
Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the The ssid key of wifi_data parameter on the /captive_portal.htm page.
|
|||||
| CVE-2025-0671 | 1 Icegram | 1 Icegram Express | 2025-04-29 | N/A | 6.1 MEDIUM |
|
The Icegram Express WordPress plugin before 5.7.50 does not sanitise and escape some of its Template settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2022-42187 | 1 Hustoj | 1 Hustoj | 2025-04-29 | N/A | 6.1 MEDIUM |
|
Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php.
|
|||||
| CVE-2022-41558 | 1 Tibco | 4 Spotfire Analyst, Spotfire Analytics Platform, Spotfire Desktop and 1 more | 2025-04-29 | N/A | 9.0 CRITICAL |
|
The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analyst, TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, TIBCO Spotfire Desktop, TIBCO Spotfire Desktop, TIBCO Spotfire Server, TIBCO Spotfire Server, and TIBCO Spotfire Server contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A s ...
Show More |
|||||
| CVE-2022-39834 | 1 Keyfactor | 1 Primekey Ejbca | 2025-04-29 | N/A | 5.4 MEDIUM |
|
A stored XSS vulnerability was discovered in adminweb/ra/viewendentity.jsp in PrimeKey EJBCA through 7.9.0.2. A low-privilege user can store JavaScript in order to exploit a higher-privilege user.
|
|||||
| CVE-2024-9771 | 1 Plechevandrey | 1 Wp-recall | 2025-04-29 | N/A | 3.5 LOW |
|
The WP-Recall WordPress plugin before 16.26.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-12273 | 1 Codepeople | 1 Calculated Fields Form | 2025-04-29 | N/A | 3.5 LOW |
|
The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-30676 | 1 Apache | 1 Ofbiz | 2025-04-29 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.19.
Users are recommended to upgrade to version 18.12.19, which fixes the issue.
|
|||||
| CVE-2025-2055 | 1 Mappresspro | 1 Mappress | 2025-04-29 | N/A | 6.8 MEDIUM |
|
The MapPress Maps for WordPress plugin before 2.94.9 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2024-9230 | 1 Blubrry | 1 Powerpress | 2025-04-29 | N/A | 5.9 MEDIUM |
|
The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.9.18 does not sanitise and escape some of its settings when adding a podcast, which could allow author and above users to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-13069 | 1 Rems | 1 Multi Role Login System | 2025-04-29 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SourceCodester Multi Role Login System 1.0. It has been classified as problematic. Affected is an unknown function of the file /endpoint/add-user.php. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-13021 | 1 Rems | 1 Road Accident Map Marker | 2025-04-29 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in SourceCodester Road Accident Map Marker 1.0. Affected by this issue is some unknown functionality of the file /endpoint/add-mark.php. The manipulation of the argument mark_name/details leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
|
|||||
| CVE-2025-3489 | 1 Nababur | 1 Simple-user-management-system | 2025-04-29 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in Nababur Simple-User-Management-System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /register.php. The manipulation of the argument name/username leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||