Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-50681 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input fields in the Rich text editor component. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers.
|
|||||
| CVE-2022-50680 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability in Kentico Xperience allows administration users to inject malicious scripts via email marketing templates. Attackers can exploit this vulnerability to execute malicious scripts that could compromise user browsers and steal sensitive information.
|
|||||
| CVE-2020-36891 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute in users' browsers.
|
|||||
| CVE-2020-36889 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via error messages containing specially crafted object names. This allows malicious scripts to execute in users' browsers when administrators view error messages in the administration interface.
|
|||||
| CVE-2023-53887 | 1 Zomp | 1 Zomplog | 2025-12-24 | N/A | 5.4 MEDIUM |
|
Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser.
|
|||||
| CVE-2023-53903 | 1 Websitebaker | 1 Websitebaker | 2025-12-24 | N/A | 5.4 MEDIUM |
|
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks.
|
|||||
| CVE-2023-53939 | 1 Tinywebgallery | 1 Tinywebgallery | 2025-12-24 | N/A | 5.4 MEDIUM |
|
TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages.
|
|||||
| CVE-2025-14701 | 1 Craftycontrol | 1 Crafty Controller | 2025-12-23 | N/A | 7.1 HIGH |
|
An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification.
|
|||||
| CVE-2025-12716 | 1 Gitlab | 1 Gitlab | 2025-12-23 | N/A | 8.7 HIGH |
|
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content.
|
|||||
| CVE-2025-12029 | 1 Gitlab | 1 Gitlab | 2025-12-23 | N/A | 8.0 HIGH |
|
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI."
|
|||||
| CVE-2025-52842 | 3 Apple, Laundry Project, Linux | 3 Macos, Laundry, Linux Kernel | 2025-12-23 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Laundry on Linux, MacOS allows Account Takeover. This issue affects Laundry: 2.3.0.
|
|||||
| CVE-2024-5125 | 1 Lollms | 1 Lollms-webui | 2025-12-23 | N/A | 7.3 HIGH |
|
parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect ...
Show More |
|||||
| CVE-2024-21496 | 1 Authcrunch | 1 Caddy-security | 2025-12-23 | N/A | 6.1 MEDIUM |
|
All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting (XSS) via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS (e.g., [&], [<], [>], ["], [']), it does not account for the attack based on the JavaScript URL scheme (e.g., javascript:alert(document.domain)// payload). Exploiting this vulnerability may not be trivial, but it could lead to the execution of ...
Show More |
|||||
| CVE-2024-12641 | 1 Cht | 1 Tenderdoctransfer | 2025-12-23 | N/A | 9.6 CRITICAL |
|
TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run ...
Show More |
|||||
| CVE-2025-68387 | 1 Elastic | 1 Kibana | 2025-12-23 | N/A | 6.1 MEDIUM |
|
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
|
|||||
| CVE-2025-68385 | 1 Elastic | 1 Kibana | 2025-12-23 | N/A | 7.2 HIGH |
|
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
|
|||||
| CVE-2019-25216 | 1 Starfish | 1 Rich Review | 2025-12-23 | N/A | 7.2 HIGH |
|
The Rich Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the POST body 'update' parameter in versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-66501 | 1 Foxit | 1 Pdf Editor Cloud | 2025-12-23 | N/A | 6.3 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties.
|
|||||
| CVE-2025-66502 | 1 Foxit | 1 Pdf Editor Cloud | 2025-12-23 | N/A | 6.3 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded.
|
|||||
| CVE-2025-66519 | 1 Foxit | 1 Pdf Editor Cloud | 2025-12-23 | N/A | 6.3 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the “Create new Layer” field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed.
|
|||||
| CVE-2025-66520 | 1 Foxit | 1 Pdf Editor Cloud | 2025-12-23 | N/A | 6.3 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list is rendered.
|
|||||
| CVE-2025-66521 | 1 Foxit | 1 Pdf Editor Cloud | 2025-12-23 | N/A | 6.3 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded.
|
|||||
| CVE-2025-66522 | 1 Foxit | 1 Pdf Editor Cloud | 2025-12-23 | N/A | 6.3 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded.
|
|||||
| CVE-2025-66500 | 1 Foxit | 1 Pdf Editor Cloud | 2025-12-23 | N/A | 6.3 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received.
|
|||||
| CVE-2025-65540 | 1 Exrick | 1 Xmall | 2025-12-23 | N/A | 6.1 MEDIUM |
|
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts.
|
|||||
| CVE-2025-65892 | 1 Krpano | 1 Krpano | 2025-12-23 | N/A | 6.1 MEDIUM |
|
Reflected Cross-Site Scripting (rXSS) in krpano before version 1.23.2 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the victim's browser via a crafted URL to the passQueryParameters function with the xml parameter enabled.
|
|||||
| CVE-2017-20192 | 1 Strategy11 | 1 Formidable Form Builder | 2025-12-23 | N/A | 8.3 HIGH |
|
The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.
|
|||||
| CVE-2016-15041 | 1 Mainwp | 1 Mainwp Dashboard | 2025-12-23 | N/A | 7.2 HIGH |
|
The MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mwp_setup_purchase_username’ parameter in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-14054 | 2025-12-23 | N/A | 4.4 MEDIUM | ||
|
The WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages t ...
Show More |
|||||
| CVE-2025-14548 | 2025-12-23 | N/A | 6.4 MEDIUM | ||
|
The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can convince an administrator to enable lower privilege users to manage calen ...
Show More |
|||||
| CVE-2025-14855 | 2025-12-23 | N/A | 7.2 HIGH | ||
|
The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-14000 | 2025-12-23 | N/A | 6.4 MEDIUM | ||
|
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-13183 | 2025-12-23 | N/A | 7.3 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hotech Software Inc. Otello allows Stored XSS.This issue affects Otello: from 2.4.0 before 2.4.4.
|
|||||
| CVE-2025-14721 | 2025-12-23 | N/A | 5.5 MEDIUM | ||
|
The Responsive and Swipe slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rsSlider shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-13693 | 2025-12-23 | N/A | 6.4 MEDIUM | ||
|
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-12398 | 2025-12-23 | N/A | 6.1 MEDIUM | ||
|
The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-13220 | 2025-12-23 | N/A | 6.4 MEDIUM | ||
|
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses ...
Show More |
|||||
| CVE-2025-13624 | 2025-12-23 | N/A | 6.1 MEDIUM | ||
|
The Overstock Affiliate Links plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12581 | 2025-12-23 | N/A | 6.1 MEDIUM | ||
|
The Attachments Handler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-13838 | 2025-12-23 | N/A | 6.4 MEDIUM | ||
|
The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter of the 'wishsuite_button' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||