Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41350 | 1 Iest | 1 Winplus | 2025-11-19 | N/A | 5.4 MEDIUM |
|
Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
|
|||||
| CVE-2025-20353 | 1 Cisco | 1 Catalyst Center | 2025-11-19 | N/A | 6.1 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Catalyst Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device.
This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary scri ...
Show More |
|||||
| CVE-2025-54272 | 1 Adobe | 1 Experience Manager | 2025-11-19 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
|
|||||
| CVE-2025-61796 | 1 Adobe | 1 Experience Manager | 2025-11-19 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
|
|||||
| CVE-2025-61797 | 1 Adobe | 1 Experience Manager | 2025-11-19 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
|
|||||
| CVE-2025-20289 | 1 Cisco | 1 Identity Services Engine | 2025-11-19 | N/A | 4.8 MEDIUM |
|
Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the interface.
These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow th ...
Show More |
|||||
| CVE-2025-20303 | 1 Cisco | 1 Identity Services Engine | 2025-11-19 | N/A | 5.4 MEDIUM |
|
Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the interface.
These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow th ...
Show More |
|||||
| CVE-2025-64747 | 1 Monospace | 1 Directus | 2025-11-19 | N/A | 5.5 MEDIUM |
|
Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue.
|
|||||
| CVE-2025-63830 | 1 Cksource | 1 Ckfinder | 2025-11-19 | N/A | 6.1 MEDIUM |
|
CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function. An attacker can upload a crafted SVG containing active content.
|
|||||
| CVE-2025-13202 | 1 Fabian | 1 Simple Cafe Ordering System | 2025-11-19 | 4.0 MEDIUM | 3.5 LOW |
|
A security flaw has been discovered in code-projects Simple Cafe Ordering System 1.0. This affects an unknown part of the file /add_to_cart. Performing manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
|
|||||
| CVE-2025-13244 | 1 Fabian | 1 Student Information System | 2025-11-19 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was determined in code-projects Student Information System 2.0. The affected element is an unknown function of the file /register.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
|
|||||
| CVE-2025-13245 | 1 Fabian | 1 Student Information System | 2025-11-19 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was identified in code-projects Student Information System 2.0. The impacted element is an unknown function of the file /editprofile.php. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2025-64046 | 1 Openrapid | 1 Rapidcms | 2025-11-19 | N/A | 6.1 MEDIUM |
|
OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /system/update-run.php.
|
|||||
| CVE-2024-44647 | 1 Phpgurukul | 1 Small Crm | 2025-11-19 | N/A | 6.1 MEDIUM |
|
PHPGurukul Small CRM 3.0 is vulnerable to Cross Site Scripting (XSS) via the aremark parameter in manage-tickets.php.
|
|||||
| CVE-2024-46334 | 1 Kashipara | 1 School Management System | 2025-11-19 | N/A | 6.1 MEDIUM |
|
kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the formuser and formpassword parameters in /adminLogin.php.
|
|||||
| CVE-2024-46336 | 1 Kashipara | 1 School Management System | 2025-11-19 | N/A | 6.1 MEDIUM |
|
kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /client_user/feedback.php.
|
|||||
| CVE-2024-46335 | 1 Phpgurukul | 1 Complaint Management System | 2025-11-19 | N/A | 4.6 MEDIUM |
|
PHPGurukul Complaint Management System 2.0 is vulnerble to Cross Site Scripting (XSS) via the fromdate and todate parameters in between-date-userreport.php.
|
|||||
| CVE-2024-45712 | 1 Solarwinds | 1 Serv-u | 2025-11-18 | N/A | 2.6 LOW |
|
SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low.
|
|||||
| CVE-2024-44655 | 1 Phpgurukul | 1 Complaint Management System | 2025-11-18 | N/A | 6.1 MEDIUM |
|
PHPGurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) via the search parameter in user-search.php.
|
|||||
| CVE-2024-44661 | 1 Phpgurukul | 1 Online Shopping Portal | 2025-11-18 | N/A | 5.4 MEDIUM |
|
PHPGurukul Online Shopping Portal 2.0 is vulnerable to Cross Site Scripting (XSS) via the quantity parameter in my-cart.php.
|
|||||
| CVE-2020-35752 | 1 Janobe | 1 Baby Care System | 2025-11-18 | 3.5 LOW | 5.4 MEDIUM |
|
Baby Care System 1.0 is affected by a cross-site scripting (XSS) vulnerability in the Edit Page tab through the Post title parameter.
|
|||||
| CVE-2025-45236 | 1 Dbsyncer Project | 1 Dbsyncer | 2025-11-18 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Edit Profile feature of DBSyncer v2.0.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Nickname parameter.
|
|||||
| CVE-2025-63713 | 1 Remyandrade | 1 Matching Type Test | 2025-11-18 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability in SourceCodester "MatchMaster" 1.0 allows remote attackers to inject arbitrary web script or HTML via crafted input in the custom test creation feature. The vulnerability exists because the application fails to properly sanitize user-supplied input in test titles and matching pair items before rendering them in the DOM during test execution.
|
|||||
| CVE-2025-12869 | 1 Aenrich | 1 A\+hrd | 2025-11-18 | N/A | 4.8 MEDIUM |
|
The a+HRD developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing remote attackers with administrator privileges to inject persistent JavaScript codes that are executed in users' browsers upon page load.
|
|||||
| CVE-2025-12457 | 2025-11-18 | N/A | 6.4 MEDIUM | ||
|
The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2025-12691 | 2025-11-18 | N/A | 6.4 MEDIUM | ||
|
The Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox functionality in all versions up to, and including, 3.21 due to insufficient input sanitization and output escaping on user supplied caption attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
|
|||||
| CVE-2025-12823 | 2025-11-18 | N/A | 6.4 MEDIUM | ||
|
The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-8605 | 2025-11-18 | N/A | 6.4 MEDIUM | ||
|
The Gutenify – Visual Site Builder Blocks & Site Templates. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4212 | 2025-11-18 | N/A | 7.2 HIGH | ||
|
The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in image files that will execute whenever a user accesses the injected page.
|
|||||
| CVE-2025-64758 | 2025-11-18 | N/A | 4.8 MEDIUM | ||
|
@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not pro ...
Show More |
|||||
| CVE-2025-12088 | 2025-11-18 | N/A | 6.4 MEDIUM | ||
|
The Meta Display Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meta Display Block in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-8609 | 2025-11-18 | N/A | 6.4 MEDIUM | ||
|
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-13196 | 2025-11-18 | N/A | 5.4 MEDIUM | ||
|
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the render function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user access ...
Show More |
|||||
| CVE-2025-40834 | 2025-11-18 | N/A | 5.7 MEDIUM | ||
|
A vulnerability has been identified in Mendix RichText (All versions >= V4.0.0 < V4.6.1). Affected widget does not properly neutralize the input. This could allow an attacker to execute cross-site scripting attacks.
|
|||||
| CVE-2025-11868 | 2025-11-18 | N/A | 6.4 MEDIUM | ||
|
The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `everviz` shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a `<div id=...>` from the `type` and `hash` attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-12079 | 2025-11-18 | N/A | 6.1 MEDIUM | ||
|
The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12078 | 2025-11-18 | N/A | 6.1 MEDIUM | ||
|
The ArtiBot Free Chat Bot for WebSites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2022-44759 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | N/A | 4.6 MEDIUM |
|
Improper sanitization of SVG files in HCL Leap
allows client-side script injection in deployed applications.
|
|||||
| CVE-2024-30147 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | N/A | 6.5 MEDIUM |
|
Multiple vectors in HCL Leap allow client-side
script injection in the authoring environment and deployed applications.
|
|||||
| CVE-2024-30114 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | N/A | 3.7 LOW |
|
Insufficient sanitization in HCL Leap allows
client-side script injection in the authoring environment.
|
|||||