Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-42620 | 2025-12-08 | N/A | N/A | ||
|
In affected versions, vulnerability-lookup handled user-controlled
content in comments and bundles in an unsafe way, which could lead to
stored Cross-Site Scripting (XSS).
On the backend, the related_vulnerabilities field of bundles accepted
arbitrary strings without format validation or proper sanitization. On
the frontend, comment and bundle descriptions were converted from
Markdown to HTML and then injected directly into the DOM using string
templates and innerHTML. This combination ...
Show More |
|||||
| CVE-2025-11892 | 1 Github | 1 Enterprise Server | 2025-12-08 | N/A | 9.6 CRITICAL |
|
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges. This vu ...
Show More |
|||||
| CVE-2024-52702 | 1 Mybb | 1 Mybb | 2025-12-08 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter. NOTE: this is disputed by the Supplier because Website Name can only be set by an administrator, who may use JavaScript if they wish.
|
|||||
| CVE-2025-63307 | 1 Alexusmai | 1 Laravel File Manager | 2025-12-08 | N/A | 8.1 HIGH |
|
alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization.
|
|||||
| CVE-2025-63785 | 1 Onlook | 1 Onlook | 2025-12-08 | N/A | 6.1 MEDIUM |
|
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An attacker can exploit this to inject malicious HTML and script code, which is then executed within the context of the preview iframe, allowing for the execution of arbitrary scripts in the user's session.
|
|||||
| CVE-2025-13182 | 1 H3blog | 1 H3blog | 2025-12-08 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was identified in pojoin h3blog 1.0. The impacted element is an unknown function of the file /admin/cms/category/addtitle. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2013-4888 | 1 Xibosignage | 1 Xibo | 2025-12-08 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page.
|
|||||
| CVE-2025-12761 | 1 Simple Multi Step Form Project | 1 Simple Multi Step Form | 2025-12-08 | N/A | 3.5 LOW |
|
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0.
|
|||||
| CVE-2025-12330 | 1 Matthewdeaves | 1 Willow Cms | 2025-12-08 | 3.3 LOW | 2.4 LOW |
|
A security flaw has been discovered in Willow CMS up to 1.4.0. This issue affects some unknown processing of the file /admin/articles/add of the component Add Post Page. The manipulation of the argument title/body results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be exploited.
|
|||||
| CVE-2025-13784 | 1 Yungifez | 1 Skuul | 2025-12-06 | 3.3 LOW | 2.4 LOW |
|
A weakness has been identified in yungifez Skuul School Management System up to 2.6.5. This vulnerability affects unknown code of the file /dashboard/schools/1/edit of the component SVG File Handler. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-63229 | 1 Dbbroadcast | 44 Mozart Dds Next 100, Mozart Dds Next 1000, Mozart Dds Next 1000 Firmware and 41 more | 2025-12-06 | N/A | 5.4 MEDIUM |
|
The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an attacker can execute arbitrary code in the victim's browser, potentially stealing sensitive information, hijacking sessions, or performing unauthorized actions.
|
|||||
| CVE-2025-41079 | 1 Seafile | 1 Seafile | 2025-12-05 | N/A | 6.1 MEDIUM |
|
A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/user/'.
|
|||||
| CVE-2025-41080 | 1 Seafile | 1 Seafile | 2025-12-05 | N/A | 6.1 MEDIUM |
|
A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parámetro 'p' in '/api/v2.1/repos/{repo_id}/file/'.
|
|||||
| CVE-2023-32969 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2025-12-05 | N/A | 4.9 MEDIUM |
|
A cross-site scripting (XSS) vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
QuTScloud c5.1.5.2651 and later
QTS 5.1.4.2596 build 20231128 and later
QuTS hero h5.1.4.2596 build 20231128 and later
|
|||||
| CVE-2024-50406 | 1 Qnap | 1 License Center | 2025-12-05 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers who have gained user access to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following version:
License Center 1.9.49 and later
|
|||||
| CVE-2025-22483 | 1 Qnap | 1 License Center | 2025-12-05 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following versions:
License Center 1.8.51 and later
License Center 1.9.51 and later
|
|||||
| CVE-2025-64336 | 1 Oxygenz | 1 Clipbucket | 2025-12-05 | N/A | 5.4 MEDIUM |
|
ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Photos feature is vulnerable to stored Cross-site Scripting (XSS). An authenticated regular user can upload a photo with a malicious Photo Title containing HTML/JavaScript code. While the payload does not execute in the user-facing photo gallery or detail pages, it is rendered unsafely in the Admin → Manage Photos section, resulting in JavaScript execution in the administrator’s browser. This iss ...
Show More |
|||||
| CVE-2025-55123 | 1 Revive-adserver | 1 Revive Adserver | 2025-12-05 | N/A | 5.4 MEDIUM |
|
Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS attacks to their own advertiser users.
|
|||||
| CVE-2017-1000236 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 4.3 MEDIUM | 6.1 MEDIUM |
|
I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cross-Site Scripting in the temp.php resulting in an attacker being able to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site.
|
|||||
| CVE-2023-3021 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | N/A | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in GitHub repository mkucej/i-librarian-free prior to 5.10.4.
|
|||||
| CVE-2024-40500 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | N/A | 8.6 HIGH |
|
Cross Site Scripting vulnerability in Martin Kucej i-librarian v.5.11.0 and before allows a local attacker to execute arbitrary code via the search function in the import component.
|
|||||
| CVE-2018-1000139 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 4.3 MEDIUM | 6.1 MEDIUM |
|
I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user.
|
|||||
| CVE-2012-3842 | 1 Directadmin | 1 Directadmin | 2025-12-05 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in CMD_DOMAIN in JBMC Software DirectAdmin 1.403 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) select0 or (2) select8 parameters.
|
|||||
| CVE-2024-8964 | 1 Sirv | 1 Sirv | 2025-12-05 | N/A | 6.4 MEDIUM |
|
The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2025-65215 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-12-05 | N/A | 6.1 MEDIUM |
|
Sourcecodester Web-based Pharmacy Product Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /product_expiry/add-supplier.php via the Supplier Name field.
|
|||||
| CVE-2025-65881 | 1 Oretnom23 | 1 Zoo Management System | 2025-12-05 | N/A | 6.1 MEDIUM |
|
Sourcecodester Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /classes/Login.php.
|
|||||
| CVE-2025-65267 | 1 Frappe | 2 Erpnext, Frappe | 2025-12-05 | N/A | 9.0 CRITICAL |
|
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.
|
|||||
| CVE-2025-20385 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-12-05 | N/A | 2.4 LOW |
|
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user.
|
|||||
| CVE-2024-25599 | 1 Castos | 1 Seriously Simple Podcasting | 2025-12-05 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Castos Seriously Simple Podcasting allows Reflected XSS.This issue affects Seriously Simple Podcasting: from n/a through 3.0.2.
|
|||||
| CVE-2023-49272 | 1 Jayesh | 1 Hotel Management System | 2025-12-05 | N/A | 5.4 MEDIUM |
|
Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'children' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response.
|
|||||
| CVE-2025-66222 | 1 Thinkinai | 1 Deepchat | 2025-12-05 | N/A | 9.6 CRITICAL |
|
DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.
|
|||||
| CVE-2025-61949 | 3 Linux, Microsoft, Secuavail | 3 Linux Kernel, Windows, Logstare Collector | 2025-12-05 | N/A | 5.4 MEDIUM |
|
LogStare Collector contains a stored cross-site scripting vulnerability in UserManagement. If crafted user information is stored, an arbitrary script may be executed on the web browser of the user who logs in to the product's management page.
|
|||||
| CVE-2025-14006 | 1 Xunruicms | 1 Xunruicms | 2025-12-05 | 4.0 MEDIUM | 3.5 LOW |
|
A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument data[name] leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond ...
Show More |
|||||
| CVE-2025-14007 | 1 Xunruicms | 1 Xunruicms | 2025-12-05 | 1.7 LOW | 2.0 LOW |
|
A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from remote. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did n ...
Show More |
|||||
| CVE-2025-66458 | 1 Lookyloo | 1 Lookyloo | 2025-12-05 | N/A | 6.1 MEDIUM |
|
Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, there are multiple XSS due to unsafe use of f-strings in Markup. The issue requires a malicious 3rd party server responding with a JSON document containing JS code in a script element. This vulnerability is fixed in 1.35.3.
|
|||||
| CVE-2025-66459 | 1 Lookyloo | 1 Lookyloo | 2025-12-05 | N/A | 6.1 MEDIUM |
|
Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3.
|
|||||
| CVE-2025-66460 | 1 Lookyloo | 1 Lookyloo | 2025-12-05 | N/A | 6.1 MEDIUM |
|
Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3.
|
|||||
| CVE-2025-12848 | 1 Webform Multiple File Upload Project | 1 Webform Multiple File Upload | 2025-12-05 | N/A | 6.1 MEDIUM |
|
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious
filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts
in the context of the victim's browser.
The issue is pr ...
Show More |
|||||
| CVE-2025-65675 | 1 Classroomio | 1 Classroomio | 2025-12-05 | N/A | 5.4 MEDIUM |
|
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.
|
|||||
| CVE-2025-59117 | 1 Windu | 1 Windu Cms | 2025-12-05 | N/A | 4.8 MEDIUM |
|
Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/.
This vulnerability can be exploited by a privileged user and may target users with higher privileges.
Only version 4.1 was tested and confirmed as vulnerable.
This issue was fixed in version 4.1 build 2250.
|
|||||