Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63949 | 1 Yohanawi | 1 Hotel Management System | 2025-12-31 | N/A | 6.1 MEDIUM |
|
A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php.
|
|||||
| CVE-2024-35322 | 1 Airc | 1 Mynet | 2025-12-31 | N/A | 6.1 MEDIUM |
|
MyNET up to v26.08 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the ficheiro parameter.
|
|||||
| CVE-2024-40317 | 1 Airc | 1 Mynet | 2025-12-31 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in MyNET up to v26.08 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter HTTP.
|
|||||
| CVE-2023-53928 | 1 Php-fusion | 1 Phpfusion | 2025-12-31 | N/A | 5.4 MEDIUM |
|
PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks.
|
|||||
| CVE-2025-64338 | 1 Oxygenz | 1 Clipbucket | 2025-12-31 | N/A | 9.0 CRITICAL |
|
ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is rendered unsafely in the Admin → Manage Photos interface, causing it to execute in the administrator’s browser, therefore allowing an attacker to target administrators and perform actions with elevated ...
Show More |
|||||
| CVE-2023-53900 | 1 Spip | 1 Spip | 2025-12-31 | N/A | 8.8 HIGH |
|
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.
|
|||||
| CVE-2025-62780 | 1 Changedetection | 1 Changedetection | 2025-12-31 | N/A | 3.5 LOW |
|
changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch with an arbitrary URL which really points to a web page. Once the HTML content is retrieved, the attacker updates the URL with a JavaScript payload. In the second, an attacker substitutes the URL in an ex ...
Show More |
|||||
| CVE-2023-53938 | 1 Rockmongo | 1 Rockmongo | 2025-12-31 | N/A | 5.4 MEDIUM |
|
RockMongo 1.1.7 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple unencoded input parameters. Attackers can exploit the vulnerability by submitting crafted payloads in database, collection, and login parameters to execute arbitrary JavaScript in victim's browser.
|
|||||
| CVE-2021-47716 | 1 Orangescrum | 1 Orangescrum | 2025-12-31 | N/A | 5.4 MEDIUM |
|
Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints.
|
|||||
| CVE-2025-52331 | 1 Rarlab | 1 Winrar | 2025-12-31 | N/A | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation in the HTML report, which allows potentially malicious HTML tags to be injected into the report. User interaction is required. User must use the "generate report" functionality and open the report.
|
|||||
| CVE-2025-59491 | 1 Centralsquare | 1 Community Development | 2025-12-31 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields.
|
|||||
| CVE-2025-63419 | 1 Crushftp | 1 Crushftp | 2025-12-31 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
|
|||||
| CVE-2025-32951 | 1 Haulmont | 4 Cuba Platform, Cuba Rest Api, Jmix Framework and 1 more | 2025-12-31 | N/A | 6.4 MEDIUM |
|
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1. ...
Show More |
|||||
| CVE-2024-55488 | 1 Umbraco | 1 Umbraco Cms | 2025-12-31 | N/A | 6.5 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE: This has been disputed by the vendor since this potential attack is only possible via authenticated users who have been manually allowed access to the CMS. There was a deliberate decision made not to apply HTML sanitization at the product level.
|
|||||
| CVE-2025-35029 | 1 Mieweb | 1 Enterprise Health | 2025-12-31 | N/A | 3.5 LOW |
|
Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content will be rendered and executed when a victim accesses it. This issue is fixed as of 2025-03-14.
|
|||||
| CVE-2025-61413 | 1 Dotnetfoundation | 1 Piranha Cms | 2025-12-31 | N/A | 6.1 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a crafted payload into the Markdown blocks.
|
|||||
| CVE-2024-38963 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-31 | N/A | 6.1 MEDIUM |
|
Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProductReview.ReviewText" parameter(s) (Reviews) when creating a new review.
|
|||||
| CVE-2024-8914 | 1 Wordpress | 1 Thanh Toan Quet Ma Qr Code Tu Dong | 2025-12-31 | N/A | 7.2 HIGH |
|
The Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a u ...
Show More |
|||||
| CVE-2024-48246 | 1 Janobe | 1 Vehicle Management System | 2025-12-31 | N/A | 5.4 MEDIUM |
|
Vehicle Management System 1.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the "Name" parameter of /vehicle-management/booking.php.
|
|||||
| CVE-2025-14284 | 1 Tiptap | 1 Tiptap\/extension-link | 2025-12-31 | N/A | 6.1 MEDIUM |
|
Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction.
|
|||||
| CVE-2024-9582 | 1 Bqworks | 1 Accordion Slider | 2025-12-31 | N/A | 6.4 MEDIUM |
|
The Accordion Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ attribute of an accordion slider in all versions up to, and including, 1.9.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Successful exploitation by Contributor-level users requires ...
Show More |
|||||
| CVE-2025-29231 | 1 Linksys | 2 E5600, E5600 Firmware | 2025-12-31 | N/A | 6.1 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the page_save component of Linksys E5600 V1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hostname and domainName parameters.
|
|||||
| CVE-2025-47504 | 2025-12-30 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Custom Checkout Fields for WooCommerce, WPFactory Customer Email Verification for WooCommerce allows Stored XSS.This issue affects Custom Checkout Fields for WooCommerce: from n/a through 1.8.3; Customer Email Verification for WooCommerce: from n/a through 3.0.2.
|
|||||
| CVE-2025-15052 | 1 Fabian | 1 Student Information System | 2025-12-30 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-65754 | 1 Algernon Project | 1 Algernon | 2025-12-30 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename.
|
|||||
| CVE-2024-24130 | 1 Mail2world | 1 Mail2world Webmail | 2025-12-30 | N/A | 6.1 MEDIUM |
|
Mail2World v12 Business Control Center was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Usr parameter at resellercenter/login.asp.
|
|||||
| CVE-2023-40262 | 1 Unify | 1 Openscape Voice Trace Manager | 2025-12-30 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows unauthenticated Stored Cross-Site Scripting (XSS) in the administration component via Access Request.
|
|||||
| CVE-2025-63498 | 2 Alinto, Debian | 2 Sogo, Debian Linux | 2025-12-30 | N/A | 6.1 MEDIUM |
|
alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter.
|
|||||
| CVE-2024-1215 | 1 Remyandrade | 1 Crud Without Page Reload\/refresh | 2025-12-30 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file fetch_data.php. The manipulation of the argument username/city leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252782 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | N/A | 9.6 CRITICAL |
|
Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component
|
|||||
| CVE-2025-25939 | 1 Reprisesoftware | 1 Reprise License Manager | 2025-12-30 | N/A | 6.1 MEDIUM |
|
Reprise License Manager 14.2 is vulnerable to reflected cross-site scripting in /goform/activate_process via the akey parameter.
|
|||||
| CVE-2025-66021 | 1 Owasp | 1 Java Html Sanitizer | 2025-12-30 | N/A | 6.1 MEDIUM |
|
OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At tim ...
Show More |
|||||
| CVE-2025-52552 | 1 Fastgpt | 1 Fastgpt | 2025-12-29 | N/A | 6.1 MEDIUM |
|
FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12.
|
|||||
| CVE-2025-14499 | 2025-12-29 | N/A | 8.8 HIGH | ||
|
IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of a parameter passed to the gmaps webpage. The issue results from the lack of proper validation of user-supplied data, which can lead to the in ...
Show More |
|||||
| CVE-2025-66444 | 2025-12-29 | N/A | 8.2 HIGH | ||
|
Cross-site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00.
|
|||||
| CVE-2023-32120 | 2025-12-29 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS.This issue affects Hostel: from n/a through 1.1.5.1.
|
|||||
| CVE-2019-25233 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
|
AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions.
|
|||||
| CVE-2018-25131 | 2025-12-29 | N/A | 7.2 HIGH | ||
|
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user's browser session when viewed.
|
|||||
| CVE-2019-25244 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
|
Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvalidated GET parameters.
|
|||||
| CVE-2025-68917 | 2025-12-29 | N/A | 6.4 MEDIUM | ||
|
ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.
|
|||||