Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38953 | 1 Phpok | 1 Phpok | 2025-03-20 | N/A | 6.1 MEDIUM |
|
phpok 6.4.003 contains a Cross Site Scripting (XSS) vulnerability in the ok_f() method under the framework/api/upload_control.php file.
|
|||||
| CVE-2023-22376 | 1 Planex | 2 Cs-wmv02g, Cs-wmv02g Firmware | 2025-03-20 | N/A | 6.1 MEDIUM |
|
Reflected cross-site scripting vulnerability in Wired/Wireless LAN Pan/Tilt Network Camera CS-WMV02G all versions allows a remote unauthenticated attacker to inject arbitrary script to inject an arbitrary script. NOTE: This vulnerability only affects products that are no longer supported by the developer.
|
|||||
| CVE-2023-42307 | 1 Code-projects | 1 Exam Form Submission | 2025-03-20 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Code-Projects Exam Form Submission 1.0 allows attackers to run arbitrary code via "Subject Name" and "Subject Code" section.
|
|||||
| CVE-2024-4400 | 1 Boldgrid | 1 Post And Page Builder | 2025-03-20 | N/A | 6.4 MEDIUM |
|
The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plguin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.26.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-34558 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2025-03-20 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WOLF allows Stored XSS.This issue affects WOLF: from n/a through 1.0.8.2.
|
|||||
| CVE-2024-34553 | 1 Select-themes | 1 Stockholm Core | 2025-03-20 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm Core allows Reflected XSS.This issue affects Stockholm Core: from n/a through 2.4.1.
|
|||||
| CVE-2024-28128 | 1 Cleancoder | 1 Fitnesse | 2025-03-20 | N/A | 6.1 MEDIUM |
|
Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter.
|
|||||
| CVE-2022-4656 | 1 Plugins-market | 1 Wp Visitor Statistics | 2025-03-20 | N/A | 5.4 MEDIUM |
|
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.5 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
|
|||||
| CVE-2024-27136 | 1 Apache | 1 Jspwiki | 2025-03-20 | N/A | 6.1 MEDIUM |
|
XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later.
|
|||||
| CVE-2024-6848 | 1 Boldgrid | 1 Post And Page Builder | 2025-03-20 | N/A | 6.4 MEDIUM |
|
The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 1.26.6 due to insufficient input sanitization and output escaping affecting the boldgrid_canvas_image AJAX endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2024-3174 | 1 Google | 1 Chrome | 2025-03-20 | N/A | 8.8 HIGH |
|
Inappropriate implementation in V8 in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
|
|||||
| CVE-2024-41481 | 1 Typora | 1 Typora | 2025-03-20 | N/A | 6.1 MEDIUM |
|
Typora before 1.9.3 Markdown editor has a cross-site scripting (XSS) vulnerability via the Mermaid component.
|
|||||
| CVE-2024-37392 | 1 Smseagle | 1 Smseagle | 2025-03-20 | N/A | 6.1 MEDIUM |
|
A stored Cross-Site Scripting (XSS) vulnerability has been identified in SMSEagle software version < 6.0. The vulnerability arises because the application did not properly sanitize user input in the SMS messages in the inbox. This could allow an attacker to inject malicious JavaScript code into an SMS message, which gets executed when the SMS is viewed and specially interacted in web-GUI.
|
|||||
| CVE-2023-48986 | 1 Cusg | 1 Content Management System | 2025-03-20 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in CU Solutions Group (CUSG) Content Management System (CMS) before v.7.75 allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted script to the users.php component.
|
|||||
| CVE-2019-15870 | 1 Scriptsbundle | 1 Carspot | 2025-03-20 | 3.5 LOW | 5.4 MEDIUM |
|
The CarSpot theme before 2.1.7 for WordPress has stored XSS via the Phone Number field.
|
|||||
| CVE-2025-26917 | 1 Hasthemes | 1 Wp Templata | 2025-03-20 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WP Templata allows Reflected XSS. This issue affects WP Templata: from n/a through 1.0.7.
|
|||||
| CVE-2025-26772 | 1 Detheme | 1 Dethemekit For Elementor | 2025-03-20 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detheme DethemeKit For Elementor allows Stored XSS. This issue affects DethemeKit For Elementor: from n/a through 2.1.8.
|
|||||
| CVE-2024-54444 | 1 Elementor | 1 Website Builder | 2025-03-20 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder allows Stored XSS. This issue affects Elementor Website Builder: from n/a through 3.25.10.
|
|||||
| CVE-2024-56259 | 1 Ayecode | 1 Geodirectory | 2025-03-20 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AyeCode - WP Business Directory Plugins GeoDirectory allows Stored XSS.This issue affects GeoDirectory: from n/a through 2.3.84.
|
|||||
| CVE-2025-22806 | 1 Modernaweb | 1 Black Widgets For Elementor | 2025-03-20 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Modernaweb Studio Black Widgets For Elementor allows DOM-Based XSS.This issue affects Black Widgets For Elementor: from n/a through 1.3.8.
|
|||||
| CVE-2025-0192 | 2025-03-20 | N/A | 5.4 MEDIUM | ||
|
A stored Cross-site Scripting (XSS) vulnerability exists in the latest version of wandb/openui. The vulnerability is present in the edit HTML functionality, where an attacker can inject malicious scripts. When the modified HTML is shared with another user, the XSS payload executes, potentially leading to the theft of user prompt history and other sensitive information.
|
|||||
| CVE-2024-12870 | 2025-03-20 | N/A | 5.4 MEDIUM | ||
|
A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' content type, which is automatically rendered by browsers. This can lead to the execution of arbitrary JavaScript in the context of the user's browser, potentially allowing attackers to steal cookies and g ...
Show More |
|||||
| CVE-2024-11441 | 2025-03-20 | N/A | 6.1 MEDIUM | ||
|
A stored cross-site scripting (XSS) vulnerability exists in Serge version 0.9.0. The vulnerability is due to improper neutralization of input during web page generation in the chat prompt. An attacker can exploit this vulnerability by sending a crafted message containing malicious HTML/JavaScript code, which will be stored and executed whenever the chat is accessed, leading to unintended content being shown to the user and potential phishing attacks.
|
|||||
| CVE-2025-2108 | 2025-03-20 | N/A | 6.4 MEDIUM | ||
|
The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-42671 | 2025-03-19 | N/A | 6.1 MEDIUM | ||
|
A Host Header Poisoning Open Redirect issue in slabiak Appointment Scheduler v.1.0.5 allows a remote attacker to redirect users to a malicious website, leading to potential credential theft, malware distribution, or other malicious activities.
|
|||||
| CVE-2024-39457 | 1 Cybozu | 1 Garoon | 2025-03-19 | N/A | 5.4 MEDIUM |
|
Cybozu Garoon 6.0.0 to 6.0.1 contains a cross-site scripting vulnerability in PDF preview. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user’s web browser.
|
|||||
| CVE-2023-51436 | 2025-03-19 | N/A | 5.9 MEDIUM | ||
|
Cross-site scripting vulnerability exists in UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.8, which may allow a remote authenticated attacker with an administrative privilege to execute an arbitrary script on the web browser of the user who is using the product.
|
|||||
| CVE-2025-26775 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2025-03-19 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 BEAR allows Stored XSS. This issue affects BEAR: from n/a through 1.1.4.4.
|
|||||
| CVE-2025-27705 | 2025-03-19 | N/A | N/A | ||
|
There is a cross-site scripting vulnerability in the Secure
Access administrative console of Absolute Secure Access prior to version 13.53.
Attackers with system administrator permissions can interfere with another
system administrator’s use of the management console when the second
administrator logs in. Attack complexity is high, attack requirements are
present, privileges required are none, user interaction is required. The impact
to confidentiality is low, the impact to availability is none ...
Show More |
|||||
| CVE-2019-13029 | 1 Vanderbilt | 1 Redcap | 2025-03-19 | 3.5 LOW | 4.8 MEDIUM |
|
Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.
|
|||||
| CVE-2018-6867 | 1 Alibaba Clone Script Project | 1 Alibaba Clone Script | 2025-03-19 | 3.5 LOW | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) exists in PHP Scripts Mall Alibaba Clone Script 1.0.2 via a profile parameter.
|
|||||
| CVE-2025-0554 | 1 Podlove | 1 Podlove Podcast Publisher | 2025-03-19 | N/A | 4.4 MEDIUM |
|
The Podlove Podcast Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Feed Name value in version <= 4.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
|
|||||
| CVE-2024-56242 | 1 Tychesoftwares | 1 Arconix Shortcodes | 2025-03-19 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.14.
|
|||||
| CVE-2024-29915 | 1 Podlove | 1 Podlove Podcast Publisher | 2025-03-19 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Podlove Podlove Podcast Publisher allows Reflected XSS.This issue affects Podlove Podcast Publisher: from n/a through 4.0.9.
|
|||||
| CVE-2024-25920 | 1 Veronalabs | 1 Wp Sms | 2025-03-19 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS allows Stored XSS.This issue affects WP SMS: from n/a through 6.3.4.
|
|||||
| CVE-2025-27704 | 2025-03-19 | N/A | N/A | ||
|
There is a cross-site scripting vulnerability in the Secure
Access administrative console of Absolute Secure Access prior to version 13.53.
Attackers with system administrator permissions can interfere with another
system administrator’s use of the management console when the second
administrator logs in. Attack complexity is high, attack requirements are
present, privileges required are none, user interaction is required. The impact
to confidentiality is low, the impact to availability is none ...
Show More |
|||||
| CVE-2024-21686 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2025-03-19 | N/A | 8.7 HIGH |
|
This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server.
This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if yo ...
Show More |
|||||
| CVE-2023-25763 | 1 Jenkins | 1 Email Extension | 2025-03-19 | N/A | 5.4 MEDIUM |
|
Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected fields.
|
|||||
| CVE-2023-25762 | 1 Jenkins | 1 Pipeline\ | 2025-03-19 | N/A | 5.4 MEDIUM |
|
Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.
|
|||||
| CVE-2020-19825 | 1 Kimai | 1 Kimai | 2025-03-19 | N/A | 9.6 CRITICAL |
|
Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.
|
|||||