Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5405 | 1 Chaitak-gorai | 1 Blogbook | 2025-11-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in chaitak-gorai Blogbook up to 92f5cf90f8a7e6566b576fe0952e14e1c6736513. This issue affects some unknown processing of the file /post.php. The manipulation of the argument comment_author/comment_email/comment_content leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery ...
Show More |
|||||
| CVE-2025-62430 | 1 Oxygenz | 1 Clipbucket | 2025-11-10 | N/A | 5.4 MEDIUM |
|
ClipBucket v5 is an open source video sharing platform. ClipBucket v5 through build 5.5.2 #145 allows stored cross-site scripting (XSS) in multiple video and photo metadata fields. For videos the Tags field and the Genre, Actors, Producer, Executive Producer, and Director fields in Movieinfos accept user supplied values without adequate sanitization. For photos the Photo Title and Photo Tags fields accept user supplied values without adequate sanitization. A regular user who can edit a video or ...
Show More |
|||||
| CVE-2025-62715 | 1 Oxygenz | 1 Clipbucket | 2025-11-10 | N/A | 5.4 MEDIUM |
|
ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#147 and below contain a stored Cross-Site Scripting (XSS) vulnerability in ClipBucket’s Collection tags feature. An authenticated normal user can create a tag containing HTML or JavaScript, which is later rendered unescaped in collection detail and tag-list pages. As a result, arbitrary JavaScript executes in the browsers of all users who view the affected pages. This issue is fixed in version 5.5.2-#152.
|
|||||
| CVE-2025-48076 | 1 Galette | 1 Galette | 2025-11-10 | N/A | 5.4 MEDIUM |
|
Galette is a membership management web application for non profit organizations. Versions 1.1.5.2 and below allow a user to edit a group name and insert an XSS payload. This issue is fixed in version 1.2.0.
|
|||||
| CVE-2025-48884 | 1 Galette | 1 Galette | 2025-11-10 | N/A | 6.1 MEDIUM |
|
Galette is a membership management web application for non profit organizations. In versions 1.1.5.2 and below, Galette's Document Type is vulnerable to Cross-site Scripting. This issue is fixed in version 1.2.0.
|
|||||
| CVE-2025-63589 | 1 Cmsimple-xh | 1 Cmsimple Xh | 2025-11-10 | N/A | 7.1 HIGH |
|
A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.
|
|||||
| CVE-2025-63588 | 1 Cmsimple-xh | 1 Cmsimple Xh | 2025-11-10 | N/A | 7.1 HIGH |
|
An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g., a maliciously crafted POST login). Successful exploitation may lead to theft of session cookies, credential disclosure, or other client-side impacts.
|
|||||
| CVE-2025-62264 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-10 | N/A | 6.1 MEDIUM |
|
Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter.
|
|||||
| CVE-2025-62267 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-10 | N/A | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field.
|
|||||
| CVE-2025-62618 | 1 Elog Project | 1 Elog | 2025-11-10 | N/A | 8.0 HIGH |
|
ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text.
|
|||||
| CVE-2025-36592 | 1 Dell | 1 Policy Manager For Secure Connect Gateway | 2025-11-10 | N/A | 5.4 MEDIUM |
|
Dell Secure Connect Gateway (SCG) Policy Manager, version(s) 5.20. 5.22, 5.24, 5.26, 5.28, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Script injection.
|
|||||
| CVE-2025-63446 | 1 Water Management System Project | 1 Water Management System | 2025-11-10 | N/A | 6.1 MEDIUM |
|
Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /add_vendor.php.
|
|||||
| CVE-2025-4551 | 1 Continew | 1 Continew Admin | 2025-11-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in ContiNew Admin up to 3.6.0. Affected is an unknown function of the file /dev-api/common/file. The manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-12284 | 1 Azure-access | 4 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 1 more | 2025-11-10 | N/A | 6.1 MEDIUM |
|
Lack of Input Validation in the web UI might lead to potential exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
|
|||||
| CVE-2025-63450 | 1 Car-booking-system-php Project | 1 Car-booking-system-php | 2025-11-07 | N/A | 5.4 MEDIUM |
|
Car-Booking-System-PHP v.1.0 is vulnerable to Cross Site Scripting (XSS) in /carlux/booking.php.
|
|||||
| CVE-2025-63447 | 1 Water Management System Project | 1 Water Management System | 2025-11-07 | N/A | 6.1 MEDIUM |
|
Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /add_customer.php.
|
|||||
| CVE-2025-63448 | 1 Water Management System Project | 1 Water Management System | 2025-11-07 | N/A | 6.1 MEDIUM |
|
Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /edit_product.php?id=1.
|
|||||
| CVE-2025-63449 | 1 Water Management System Project | 1 Water Management System | 2025-11-07 | N/A | 5.4 MEDIUM |
|
Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /orders.php.
|
|||||
| CVE-2025-12001 | 1 Azure-access | 4 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 1 more | 2025-11-07 | N/A | 6.1 MEDIUM |
|
Lack of application manifest sanitation could lead to potential stored XSS.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
|
|||||
| CVE-2025-57244 | 1 Openkm | 1 Openkm | 2025-11-07 | N/A | 5.4 MEDIUM |
|
OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend validation.
|
|||||
| CVE-2025-63416 | 1 Selfbest | 1 Selfbest | 2025-11-07 | N/A | 9.1 CRITICAL |
|
** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute arbitrary JavaScript in the context of other users' sessions. This can be exploited to access administrative data and functions, leading to privilege escalation and full compromise of sensitive user data, as demonstrated by the ability to fetch and exfiltrate the contents of the /admin/users endpoint.
|
|||||
| CVE-2025-63417 | 1 Selfbest | 1 Selfbest | 2025-11-07 | N/A | 7.2 HIGH |
|
A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated attackers to inject arbitrary web scripts or HTML via the chat message input field. This malicious content is stored and then executed in the context of other users' browsers when they view the malicious message, potentially leading to session hijacking, account takeover, or other client-side attacks.
|
|||||
| CVE-2025-63418 | 1 Selfbest | 1 Selfbest | 2025-11-07 | N/A | 6.1 MEDIUM |
|
A DOM-based Cross-Site Scripting (XSS) vulnerability in the SelfBest platform 2023.3 allows attackers to execute arbitrary JavaScript in the context of a logged-in user's session by injecting payloads via the browser's developer console. The vulnerability arises from the application's client-side code being susceptible to direct DOM manipulation without adequate sanitization or a Content Security Policy (CSP), potentially leading to account takeover and data theft.
|
|||||
| CVE-2019-9978 | 1 Warfareplugins | 2 Social Warfare, Social Warfare Pro | 2025-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
|
|||||
| CVE-2020-11023 | 7 Debian, Drupal, Fedoraproject and 4 more | 60 Debian Linux, Drupal, Fedora and 57 more | 2025-11-07 | 4.3 MEDIUM | 6.9 MEDIUM |
|
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
|
|||||
| CVE-2025-43804 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-07 | N/A | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in Search widget in Liferay Portal 7.4.3.93 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_search_web_portlet_SearchPortlet_userId parameter.
|
|||||
| CVE-2023-7319 | 1 Nagios | 1 Network Analyzer | 2025-11-07 | N/A | 5.4 MEDIUM |
|
Nagios Network Analyzer versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Percentile Calculator menu. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2025-63593 | 1 Getgrav | 1 Grav | 2025-11-07 | N/A | 6.1 MEDIUM |
|
Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).
|
|||||
| CVE-2024-30145 | 1 Hcltech | 1 Domino Leap | 2025-11-07 | N/A | 6.5 MEDIUM |
|
Multiple vectors in HCL Domino Volt and Domino Leap allow client-side
script injection in the authoring environment and deployed applications.
|
|||||
| CVE-2024-9444 | 1 Quomodosoft | 1 Elementsready | 2025-11-07 | N/A | 6.4 MEDIUM |
|
The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2021-47698 | 1 Nagios | 1 Nagios Xi | 2025-11-07 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2025-10955 | 2025-11-07 | N/A | 6.1 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad Software Inc. Netigma allows XSS Through HTTP Query Strings.This issue affects Netigma: from 6.3.5 before 6.3.5 V8.
|
|||||
| CVE-2024-12020 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | N/A | 6.1 MEDIUM |
|
There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability. Stealing the session cookie is not possible due to cookie security flags, however the XSS may be used to induce a victim to perform on-site requests without their knowledge.
This vulnerability only affects LogicalDOC Enterprise.
|
|||||
| CVE-2025-62800 | 1 Jlowin | 1 Fastmcp | 2025-11-07 | N/A | 6.1 MEDIUM |
|
FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0.
|
|||||
| CVE-2025-5347 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-07 | N/A | 6.3 MEDIUM |
|
Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module.
|
|||||
| CVE-2025-5343 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-07 | N/A | 6.3 MEDIUM |
|
Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option.
|
|||||
| CVE-2024-29034 | 1 Carrierwave Project | 1 Carrierwave | 2025-11-07 | N/A | 6.8 MEDIUM |
|
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. Upgrade to 3. ...
Show More |
|||||
| CVE-2025-12546 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-11946 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 4.0 MEDIUM | 3.5 LOW |
|
A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any ...
Show More |
|||||
| CVE-2025-26258 | 1 Remyandrade | 1 Employee Management System | 2025-11-06 | N/A | 6.1 MEDIUM |
|
Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.'
|
|||||