Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3393 | 2025-04-08 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability was found in mrcen springboot-ucan-admin up to 5f35162032cbe9288a04e429ef35301545143509. It has been classified as problematic. This affects an unknown part of the file /ucan-admin/index of the component Personal Settings Interface. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected r ...
Show More |
|||||
| CVE-2025-3432 | 2025-04-08 | N/A | 6.4 MEDIUM | ||
|
The AAWP Obfuscator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-aawp-web' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-32117 | 2025-04-08 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Widgetize Pages Light allows Reflected XSS. This issue affects Widgetize Pages Light: from n/a through 3.0.
|
|||||
| CVE-2025-32413 | 2025-04-08 | N/A | 6.4 MEDIUM | ||
|
Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py.
|
|||||
| CVE-2025-29594 | 2025-04-08 | N/A | 6.1 MEDIUM | ||
|
A vulnerability exists in the errorpage.php file of the CS2-WeaponPaints-Website v2.1.7 where user-controlled input is not adequately validated before being processed. Specifically, the $_GET['errorcode'] parameter can be manipulated to access unauthorized error codes, leading to Cross-Site Scripting (XSS) attacks and information disclosure.
|
|||||
| CVE-2025-26653 | 2025-04-08 | N/A | 4.7 MEDIUM | ||
|
SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page, the injected script gets executed, potentially compromising the confidentiality and integrity within the scope of the victim�s browser. Availability is not impacted.
|
|||||
| CVE-2025-32369 | 1 Kentico | 1 Xperience | 2025-04-08 | N/A | 6.4 MEDIUM |
|
Kentico Xperience before 13.0.181 allows authenticated users to distribute malicious content (for stored XSS) via certain interactions with the media library file upload feature.
|
|||||
| CVE-2024-30483 | 1 Wpsimplesponsorships | 1 Simple Sponsorship | 2025-04-08 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Sponsorships Sponsors allows Stored XSS.This issue affects Sponsors: from n/a through 3.5.1.
|
|||||
| CVE-2024-30503 | 1 Mailster | 1 Mailster | 2025-04-08 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EverPress Mailster allows Reflected XSS.This issue affects Mailster: from n/a through 4.0.6.
|
|||||
| CVE-2024-30519 | 1 Lordicon | 1 Lordicon Animated Icons | 2025-04-08 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lordicon Lordicon Animated Icons allows Stored XSS.This issue affects Lordicon Animated Icons: from n/a through 2.0.1.
|
|||||
| CVE-2024-30520 | 1 Webdevocean | 1 Carousel Anything | 2025-04-08 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labib Ahmed Carousel Anything For WPBakery Page Builder allows Stored XSS.This issue affects Carousel Anything For WPBakery Page Builder: from n/a through 2.1.
|
|||||
| CVE-2025-3297 | 1 Oretnom23 | 1 Online Eyewear Shop | 2025-04-08 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /classes/Master.php?f=save_product. The manipulation of the argument brand leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
|
|||||
| CVE-2024-30194 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2025-04-08 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Sunshine Sunshine Photo Cart allows Reflected XSS.This issue affects Sunshine Photo Cart: from n/a through 3.1.1.
|
|||||
| CVE-2024-1712 | 1 Majeedraza | 1 Carousel Slider | 2025-04-08 | N/A | 4.7 MEDIUM |
|
The Carousel Slider WordPress plugin before 2.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3776 | 1 Netvision | 1 Airpass | 2025-04-08 | N/A | 6.1 MEDIUM |
|
The parameter used in the login page of Netvision airPASS is not properly filtered for user input. An unauthenticated remote attacker can insert JavaScript code to the parameter for Reflected Cross-site scripting attacks.
|
|||||
| CVE-2022-45729 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-04-08 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Doctor Appointment Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Employee ID parameter.
|
|||||
| CVE-2022-45728 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-04-08 | N/A | 6.1 MEDIUM |
|
Doctor Appointment Management System v1.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2022-3573 | 2 Abb, Gitlab | 2 Drive Composer, Gitlab | 2025-04-08 | N/A | 5.4 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.
|
|||||
| CVE-2024-28404 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-04-08 | N/A | 8.0 HIGH |
|
TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in MAC Filtering under the Firewall Page.
|
|||||
| CVE-2024-27703 | 1 Leantime | 1 Leantime | 2025-04-08 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter.
|
|||||
| CVE-2024-27477 | 1 Leantime | 1 Leantime | 2025-04-08 | N/A | 6.1 MEDIUM |
|
In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be exploited to perform Server-Side Request Forgery (SSRF) attacks.
|
|||||
| CVE-2024-2137 | 1 Themesgrove | 1 All-in-one Addons For Elementor | 2025-04-08 | N/A | 6.4 MEDIUM |
|
The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple pricing widgets (e.g. Pricing Single, Pricing Icon, Pricing Tab) in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-22718 | 1 Formtools | 1 Form Tools | 2025-04-08 | N/A | 9.6 CRITICAL |
|
Cross Site Scripting (XSS) vulnerability in Form Tools 3.1.1 allows attackers to run arbitrary code via the client_id parameter in the application URL.
|
|||||
| CVE-2024-22717 | 1 Formtools | 1 Form Tools | 2025-04-08 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Form Tools 3.1.1 allows attackers to run arbitrary code via the First Name field in the application.
|
|||||
| CVE-2024-3285 | 1 Metaslider | 1 Slider\, Gallery\, And Carousel | 2025-04-08 | N/A | 6.4 MEDIUM |
|
The Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'metaslider' shortcode in all versions up to, and including, 3.70.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an ...
Show More |
|||||
| CVE-2024-29220 | 1 Ninjaforms | 1 Ninja Forms | 2025-04-08 | N/A | 6.1 MEDIUM |
|
Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.
|
|||||
| CVE-2024-26019 | 1 Ninjaforms | 1 Ninja Forms | 2025-04-08 | N/A | 5.4 MEDIUM |
|
Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.
|
|||||
| CVE-2022-46622 | 1 Judging Management System Project | 1 Judging Management System | 2025-04-08 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Judging Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.
|
|||||
| CVE-2022-46503 | 1 Online Student Enrollment System Project | 1 Online Student Enrollment System | 2025-04-08 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the component /admin/register.php of Online Student Enrollment System v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter.
|
|||||
| CVE-2024-28402 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-04-08 | N/A | 5.9 MEDIUM |
|
TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in IP/Port Filtering under the Firewall Page.
|
|||||
| CVE-2022-47102 | 1 Phpgurukul | 1 Student Study Center Management System | 2025-04-08 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Student Study Center Management System V 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
|
|||||
| CVE-2022-46438 | 1 Douco | 1 Douphp | 2025-04-08 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the /admin/article_category.php component of DouPHP v1.7 20221118 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the description parameter.
|
|||||
| CVE-2024-26481 | 1 Getkirby | 1 Kirby | 2025-04-08 | N/A | 4.7 MEDIUM |
|
Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter.
|
|||||
| CVE-2025-1062 | 1 Metaslider | 1 Slider\, Gallery\, And Carousel | 2025-04-08 | N/A | 3.5 LOW |
|
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-1203 | 1 Metaslider | 1 Slider\, Gallery\, And Carousel | 2025-04-08 | N/A | 3.5 LOW |
|
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-2076 | 1 Gnarf | 1 Binlayerpress | 2025-04-07 | N/A | 4.4 MEDIUM |
|
The binlayerpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been d ...
Show More |
|||||
| CVE-2021-46872 | 1 Nim-lang | 2 Nim, Nimforum | 2025-04-07 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)
|
|||||
| CVE-2023-22911 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2025-04-07 | N/A | 6.1 MEDIUM |
|
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.
|
|||||
| CVE-2022-48091 | 1 Hotel Management System Project | 1 Hotel Management System | 2025-04-07 | N/A | 5.4 MEDIUM |
|
Tramyardg hotel-mgmt-system version 2022.4 is vulnerable to Cross Site Scripting (XSS) via process_update_profile.php.
|
|||||
| CVE-2025-25818 | 1 Emlog | 1 Emlog | 2025-04-07 | N/A | 5.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the postStrVar function at article_save.php.
|
|||||