Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67170 | 1 Ritecms | 1 Ritecms | 2025-12-18 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload.
|
|||||
| CVE-2025-68268 | 1 Jetbrains | 1 Teamcity | 2025-12-18 | N/A | 5.4 MEDIUM |
|
In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page
|
|||||
| CVE-2025-67875 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | N/A | 5.4 MEDIUM |
|
ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent Cross-Site Scripting (XSS) payload into an administrator's profile. The payload executes when the administrator views their own profile page, allowing the attacker to hijack the administrator's session, perform administrat ...
Show More |
|||||
| CVE-2025-67876 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | N/A | 5.4 MEDIUM |
|
ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in the database and executed whenever any user (including administrators) views a page that displays that role, such as GroupView.php or PersonView.php. This allows full session hijacking and account takeov ...
Show More |
|||||
| CVE-2024-36647 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in Church CRM v5.8.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Family Name parameter under the Register a New Family page.
|
|||||
| CVE-2025-68275 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | N/A | 4.8 MEDIUM |
|
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.
|
|||||
| CVE-2025-68399 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | N/A | 5.4 MEDIUM |
|
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application. Version 6.5.4 fixes the issue.
|
|||||
| CVE-2025-68401 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | N/A | 4.8 MEDIUM |
|
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and accoun ...
Show More |
|||||
| CVE-2025-53533 | 1 Pi-hole | 1 Web Interface | 2025-12-18 | N/A | 6.1 MEDIUM |
|
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code ...
Show More |
|||||
| CVE-2025-32785 | 1 Pi-hole | 1 Web Interface | 2025-12-18 | N/A | 5.4 MEDIUM |
|
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists group management section. An authenticated user can inject malicious JavaScript by adding a payload to the Address field when creating or editing a list entry. The vulnerability is triggered when another user navigates to the ...
Show More |
|||||
| CVE-2018-19787 | 3 Canonical, Debian, Lxml | 3 Ubuntu Linux, Debian Linux, Lxml | 2025-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
|
|||||
| CVE-2025-14385 | 2025-12-18 | N/A | 6.4 MEDIUM | ||
|
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 10.2.3 due to insufficient input sanitization and output escaping on user-supplied attributes in the wprm-recipe-roundup-item shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-14801 | 2025-12-18 | 3.3 LOW | 2.4 LOW | ||
|
A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-13861 | 2025-12-18 | N/A | 6.1 MEDIUM | ||
|
The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page.
|
|||||
| CVE-2025-13977 | 2025-12-18 | N/A | 6.4 MEDIUM | ||
|
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attack vectors in all versions up to, and including, 6.5.3. This is due to insufficient input sanitization and output escaping in the Event Calendar widget's custom attributes handling and the Image Masking module's element ID rendering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbit ...
Show More |
|||||
| CVE-2025-14347 | 2025-12-18 | N/A | 6.3 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. OBS (Student Affairs Information System)0 allows Reflected XSS.This issue affects OBS (Student Affairs Information System)0: before 26.5009.
|
|||||
| CVE-2025-14154 | 2025-12-18 | N/A | 6.1 MEDIUM | ||
|
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via guest display name in all versions up to, and including, 2.10.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-12976 | 2025-12-18 | N/A | 6.4 MEDIUM | ||
|
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected pa ...
Show More |
|||||
| CVE-2023-53904 | 2025-12-18 | N/A | 4.6 MEDIUM | ||
|
Xenforo 2.2.13 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the smilie category title parameter. Attackers can create a smilie category with a malicious script that will execute when the admin panel is loaded, potentially enabling further client-side attacks.
|
|||||
| CVE-2025-12885 | 2025-12-18 | N/A | 6.4 MEDIUM | ||
|
The Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-14202 | 2025-12-18 | N/A | N/A | ||
|
A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the admin’s browser, retrieves the CSRF token, and sends a request to change the admin's password resulting in a full account takeover.
|
|||||
| CVE-2025-13537 | 2025-12-18 | N/A | 6.4 MEDIUM | ||
|
The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-13217 | 2025-12-18 | N/A | 6.4 MEDIUM | ||
|
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level ac ...
Show More |
|||||
| CVE-2025-13730 | 2025-12-18 | N/A | 6.4 MEDIUM | ||
|
The OpenID Connect Generic Client plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'openid_connect_generic_auth_url' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-37732 | 1 Elastic | 1 Kibana | 2025-12-18 | N/A | 5.4 MEDIUM |
|
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection.
|
|||||
| CVE-2025-65778 | 1 Wekan Project | 1 Wekan | 2025-12-18 | N/A | 8.1 HIGH |
|
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token theft and CSRF actions.
|
|||||
| CVE-2021-28957 | 5 Debian, Fedoraproject, Lxml and 2 more | 5 Debian Linux, Fedora, Lxml and 2 more | 2025-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
|
|||||
| CVE-2025-43440 | 1 Apple | 6 Ipados, Iphone Os, Safari and 3 more | 2025-12-17 | N/A | 6.5 MEDIUM |
|
This issue was addressed with improved checks This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
|
|||||
| CVE-2025-43338 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-12-17 | N/A | 7.1 HIGH |
|
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Tahoe 26, macOS Sonoma 14.8.2. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
|
|||||
| CVE-2020-27783 | 6 Debian, Fedoraproject, Lxml and 3 more | 8 Debian Linux, Fedora, Lxml and 5 more | 2025-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
|
|||||
| CVE-2014-3146 | 1 Lxml | 1 Lxml | 2025-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
|
|||||
| CVE-2024-37422 | 1 Emilia | 1 Progress Planner | 2025-12-17 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Team Emilia Projects Progress Planner allows Stored XSS.This issue affects Progress Planner: from n/a through 0.9.2.
|
|||||
| CVE-2025-67641 | 1 Jenkins | 1 Coverage | 2025-12-17 | N/A | 5.4 MEDIUM |
|
Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a `javascript:` scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2025-34266 | 1 Advantech | 1 Wise-deviceon Server | 2025-12-17 | N/A | 5.4 MEDIUM |
|
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are stored in plugin configuration data and later rendered in the AddIns UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with ...
Show More |
|||||
| CVE-2025-34265 | 1 Advantech | 1 Wise-deviceon Server | 2025-12-17 | N/A | 5.4 MEDIUM |
|
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/rule-engines endpoint. When an authenticated user creates or updates a rule for an agent, the rule fields min, max, and unit are stored and later rendered in rule listings or detail views without proper HTML sanitation. An attacker can inject malicious script into one or more of these fields, which is then executed in the browser context of users who view or interact with ...
Show More |
|||||
| CVE-2025-34264 | 1 Advantech | 1 Wise-deviceon Server | 2025-12-17 | N/A | 5.4 MEDIUM |
|
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/dog/{agentId} endpoint. When an authenticated user adds or edits Software Watchdog process rules for an agent, the monitored process name is stored in the settings array and later rendered in the Software Watchdog UI without proper HTML sanitation. An attacker can inject malicious script into the process name, which is then executed in the browser context of users who vie ...
Show More |
|||||
| CVE-2025-34263 | 1 Advantech | 1 Wise-deviceon Server | 2025-12-17 | N/A | 5.4 MEDIUM |
|
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/dashboards/menus endpoint. When an authenticated user adds or edits a dashboard entry, the label and path values are stored in plugin configuration data and later rendered in the dashboard UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact w ...
Show More |
|||||
| CVE-2025-34262 | 1 Advantech | 1 Wise-deviceon Server | 2025-12-17 | N/A | 5.4 MEDIUM |
|
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored and later rendered in device listings or detail views without proper HTML sanitation. An attacker can inject malicious script into the device name, which is then executed in the browser context of users who view or interact with the affected device, potentially enab ...
Show More |
|||||
| CVE-2025-34261 | 1 Advantech | 1 Wise-deviceon Server | 2025-12-17 | N/A | 5.4 MEDIUM |
|
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicegroups/ endpoint. When an authenticated user creates a device group, the name and description values are stored and later rendered in device group listings without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected device group, potentially e ...
Show More |
|||||
| CVE-2025-34260 | 1 Advantech | 1 Wise-deviceon Server | 2025-12-17 | N/A | 5.4 MEDIUM |
|
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/schedule endpoint. When an authenticated user adds a schedule to an existing task, the schedule name is stored and later rendered in schedule listings without HTML sanitation. An attacker can inject malicious script into the schedule name, which is then executed in the browser context of users who view or interact with the affected schedule, potentially enabling se ...
Show More |
|||||