Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-30113 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | N/A | 6.3 MEDIUM |
|
Insufficient sanitization policy in HCL Leap
allows client-side script injection in the deployed application through the
HTML widget.
|
|||||
| CVE-2023-37534 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | N/A | 7.1 HIGH |
|
Insufficient URI protocol whitelist in HCL Leap
allows script injection through query parameters.
|
|||||
| CVE-2025-10018 | 1 Opensolution | 1 Quick.cms | 2025-11-17 | N/A | 4.8 MEDIUM |
|
QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other v ...
Show More |
|||||
| CVE-2025-0583 | 1 Aenrich | 1 A\+hrd | 2025-11-17 | N/A | 6.1 MEDIUM |
|
The a+HRD from aEnrich Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
|
|||||
| CVE-2025-63714 | 1 Remyandrade | 1 Modern User Account Generator | 2025-11-17 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability in SourceCodester User Account Generator 1.0 allows remote attackers to execute arbitrary JavaScript code in the context of the user's browser session via crafted input in the Username Prefix field. The vulnerability exists due to improper sanitization of user-supplied input when rendering generated account data to the DOM, allowing persistent injection of malicious HTML elements that execute when clicked by users.
|
|||||
| CVE-2025-63639 | 1 Remyandrade | 1 Faq Bot With Ai Assistant | 2025-11-17 | N/A | 6.1 MEDIUM |
|
The chat feature in the application Sourcecodester FAQ Bot with AI Assistant v1.0 is vulnerable to Cross-Site Scripting (XSS) due to improper handling of user-supplied input. An attacker can inject malicious HTML or JavaScript into chat messages, which executes in the browser of any user viewing the conversation.
|
|||||
| CVE-2025-63638 | 1 Remyandrade | 1 Ai-powered To-do List App | 2025-11-17 | N/A | 6.1 MEDIUM |
|
Sourcecodester AI-Powered To-Do List App v1.0 is vulnerable to Cross-Site Scripting (XSS) in the "Task Title" and "Description (Optional)" fields when creating a Task, allowing an attacker to inject arbitrary potentially malicious HTML/JavaScript code that executes in the victim's browser upon clicking the "Add Task" button.
|
|||||
| CVE-2024-44635 | 1 Phpgurukul | 1 Student Record System | 2025-11-17 | N/A | 6.1 MEDIUM |
|
PHPGurukul Student Record System 3.20 is vulnerable to Cross Site Scripting (XSS) via adminname and aemailid parameters in /admin-profile.php.
|
|||||
| CVE-2025-63640 | 1 Rems | 1 Medicine Reminder App | 2025-11-17 | N/A | 6.1 MEDIUM |
|
Sourcecodester Medicine Reminder App v1.0 is vulnerable to Cross-Site Scripting (XSS) in the "Medicine Name" and "Notes (Optional)" fields when creating an "Upcoming Reminder", allowing an attacker to inject arbitrary potentially malicious HTML/JavaScript code that executes in the victim's browser upon clicking the "Save Reminder" button.
|
|||||
| CVE-2025-62210 | 1 Microsoft | 1 Dynamics 365 | 2025-11-17 | N/A | 8.7 HIGH |
|
Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network.
|
|||||
| CVE-2025-62211 | 1 Microsoft | 1 Dynamics 365 | 2025-11-17 | N/A | 8.7 HIGH |
|
Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network.
|
|||||
| CVE-2025-9980 | 1 Opensolution | 1 Quick.cms | 2025-11-17 | N/A | 4.8 MEDIUM |
|
QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable ...
Show More |
|||||
| CVE-2025-9981 | 1 Opensolution | 1 Quick.cms | 2025-11-17 | N/A | 4.8 MEDIUM |
|
QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other ...
Show More |
|||||
| CVE-2025-58465 | 1 Qnap | 3 Download Station, Qts, Quts Hero | 2025-11-17 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following versions:
Download Station 5.10.0.305 ( 2025/09/16 ) and later
Download Station 5.10.0.304 ( 2025/09/08 ) and later
|
|||||
| CVE-2025-41101 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
|
HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in'/projects/save'.
|
|||||
| CVE-2025-41102 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
|
HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/events/save'.
|
|||||
| CVE-2025-41103 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
|
HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'reply_message' in '/messages/reply'.
|
|||||
| CVE-2025-41104 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
|
HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'custom_field_1' in '/estimate_requests/save_estimate_request'.
|
|||||
| CVE-2025-41105 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
|
HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/tickets/save'.
|
|||||
| CVE-2025-41106 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
|
HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'first_name' in '/clients/save_contact/'.
|
|||||
| CVE-2025-11189 | 1 Synchroweb | 1 Kiwire | 2025-11-17 | N/A | 7.3 HIGH |
|
The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for Javascript execution.
|
|||||
| CVE-2025-60378 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 8.1 HIGH |
|
Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients.
|
|||||
| CVE-2025-13097 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-17 | N/A | 5.4 MEDIUM |
|
Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
|
|||||
| CVE-2025-9647 | 1 Mtons | 1 Mblog | 2025-11-14 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A weakness has been identified in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/role/list. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2025-54168 | 1 Qnap | 1 Qulog Center | 2025-11-14 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following version:
QuLog Center 1.8.2.923 ( 2025/08/27 ) and later
|
|||||
| CVE-2025-57706 | 1 Qnap | 1 File Station | 2025-11-14 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following version:
File Station 5 5.5.6.5018 and later
|
|||||
| CVE-2020-0656 | 1 Microsoft | 1 Dynamics 365 | 2025-11-14 | 3.5 LOW | 5.4 MEDIUM |
|
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'.
|
|||||
| CVE-2025-24297 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 9.8 CRITICAL |
|
Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
|
|||||
| CVE-2025-41107 | 1 Qdocs | 1 Smart School | 2025-11-14 | N/A | 5.4 MEDIUM |
|
Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details.
|
|||||
| CVE-2025-12904 | 2025-11-14 | N/A | 7.2 HIGH | ||
|
The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-64716 | 2025-11-14 | N/A | N/A | ||
|
Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. Prior to version 1.23.0, when using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to `javascript:` URLs, it could still trigger dangerous behavior in some cases. Anybody with a subrequest authentication may be affected. Version 1.23.0 contains a f ...
Show More |
|||||
| CVE-2025-11769 | 2025-11-14 | N/A | 6.4 MEDIUM | ||
|
The WordPress Content Flipper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bgcolor' shortcode attribute of the 'flipper_front' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-64744 | 2025-11-14 | N/A | 3.5 LOW | ||
|
OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available.
|
|||||
| CVE-2025-40681 | 2025-11-14 | N/A | N/A | ||
|
Cross-site Scripting (XSS) vulnerability reflected in xCally's Omnichannel v3.30.1. This vulnerability allowsan attacker to executed JavaScript code in the victim's browser by sending them a malicious URL using the 'failureMessage' parameter in '/login'. This vulnerability can be exploited to steal sentitive user data, such as session cookies , or to perform actions on behalf of the user.
|
|||||
| CVE-2025-10295 | 2025-11-14 | N/A | 6.4 MEDIUM | ||
|
The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the user has access to the edit profile for ...
Show More |
|||||
| CVE-2025-59840 | 2025-11-14 | N/A | 8.1 HIGH | ||
|
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They are vulnerable if they use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window` and if they allow user-defined Vega `JSON` de ...
Show More |
|||||
| CVE-2025-8397 | 2025-11-14 | N/A | 6.4 MEDIUM | ||
|
The Save as PDF Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's restpackpdfbutton shortcode in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-34240 | 1 Qdocs | 1 Smart School | 2025-11-14 | N/A | 6.1 MEDIUM |
|
QDOCS Smart School 7.0.0 is vulnerable to Cross Site Scripting (XSS) resulting in arbitrary code execution in admin functions related to adding or updating records.
|
|||||
| CVE-2024-7056 | 1 Wpforms | 1 Wpforms | 2025-11-13 | N/A | 3.5 LOW |
|
The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-0249 | 1 Hijiriworld | 1 Advanced Schedule Posts | 2025-11-13 | N/A | 7.1 HIGH |
|
The Advanced Schedule Posts WordPress plugin through 2.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins.
|
|||||