Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27926 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-10-31 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
|
|||||
| CVE-2025-60280 | 1 Hockeycomputindo | 1 Bang Resto | 2025-10-31 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability in Bang Resto v1.0 could allow an attacker to inject malicious JavaScript code into the application's web pages. This vulnerability exists due to insufficient input sanitization or output encoding, allowing attacker-controlled input to be rendered directly in the browser. When exploited, an attacker can steal session cookies, redirect users to malicious sites, perform actions on behalf of the user, or deface the website. This can lead to user data comprom ...
Show More |
|||||
| CVE-2025-11952 | 1 Oct8ne | 1 Chatbot | 2025-10-31 | N/A | 6.1 MEDIUM |
|
Stored Cross-site Scripting (XSS) in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through /Records/SendSummaryMail.
|
|||||
| CVE-2023-37580 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-10-31 | N/A | 6.1 MEDIUM |
|
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
|
|||||
| CVE-2023-43770 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2025-10-31 | N/A | 6.1 MEDIUM |
|
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
|
|||||
| CVE-2024-27443 | 1 Zimbra | 1 Collaboration | 2025-10-31 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context ...
Show More |
|||||
| CVE-2024-37383 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2025-10-31 | N/A | 6.1 MEDIUM |
|
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
|
|||||
| CVE-2025-7329 | 1 Rockwellautomation | 2 1783-natr, 1783-natr Firmware | 2025-10-30 | N/A | 4.8 MEDIUM |
|
A Stored Cross-Site Scripting security issue exists in the affected product that could potentially allow a malicious user to view and modify sensitive data or make the webpage unavailable. The vulnerability stems from missing special character filtering and encoding. Successful exploitation requires an attacker to be able to update configuration fields behind admin login.
|
|||||
| CVE-2022-42450 | 1 Hcltech | 1 Domino Leap | 2025-10-30 | N/A | 4.6 MEDIUM |
|
Improper sanitization of SVG files in HCL Domino Volt allows client-side script injection in deployed applications.
|
|||||
| CVE-2023-37535 | 1 Hcltech | 1 Domino Leap | 2025-10-30 | N/A | 7.1 HIGH |
|
Insufficient URI protocol whitelist in HCL Domino Volt and Domino Leap
allow script injection through query parameters.
|
|||||
| CVE-2025-12311 | 1 Phpgurukul | 1 Curfew E-pass Management System | 2025-10-30 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was detected in PHPGurukul Curfew e-Pass Management System 1.0. This issue affects some unknown processing of the file edit-category-detail.php. The manipulation of the argument catname results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-12312 | 1 Phpgurukul | 1 Curfew E-pass Management System | 2025-10-30 | 3.3 LOW | 2.4 LOW |
|
A flaw has been found in PHPGurukul Curfew e-Pass Management System 1.0. Impacted is an unknown function of the file view-pass-detail.php. This manipulation of the argument Fullname/Category causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used.
|
|||||
| CVE-2024-11182 | 1 Mdaemon | 1 Mdaemon | 2025-10-30 | N/A | 6.1 MEDIUM |
|
An XSS issue was discovered in
MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message
with
JavaScript in an img tag. This could
allow a remote attacker
to load arbitrary JavaScript code in the context of a webmail user's browser window.
|
|||||
| CVE-2023-5631 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2025-10-30 | N/A | 6.1 MEDIUM |
|
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker
to load arbitrary JavaScript code.
|
|||||
| CVE-2025-12333 | 1 Fabian | 1 E-commerce Website | 2025-10-30 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been found in code-projects E-Commerce Website 1.0. This impacts an unknown function of the file /pages/supplier_add.php. The manipulation of the argument supp_name/supp_address leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-50055 | 2025-10-30 | N/A | 6.4 MEDIUM | ||
|
Cross-site scripting (XSS) vulnerability in the SAML Authentication module in OpenVPN Access Server version 2.14.0 through 2.14.3 allows configured remote SAML Assertion Consumer Service (ACS) endpoint servers to inject arbitrary web script or HTML via the RelayState parameter
|
|||||
| CVE-2025-2161 | 1 Pega | 1 Pega Platform | 2025-10-30 | N/A | 7.1 HIGH |
|
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
|
|||||
| CVE-2025-2160 | 1 Pega | 1 Pega Platform | 2025-10-30 | N/A | 8.1 HIGH |
|
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
|
|||||
| CVE-2025-32809 | 1 Wwnorton | 1 Inquizitive | 2025-10-30 | N/A | 6.4 MEDIUM |
|
W. W. Norton InQuizitive through 2025-04-08 allows students to conduct stored XSS attacks against educators via a bonus description, feedback.choice_fb[], or question_id.
|
|||||
| CVE-2025-8848 | 1 Librechat | 1 Librechat | 2025-10-30 | N/A | 5.4 MEDIUM |
|
A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the <html lang=""> tag of the response. This can lead to potential security risks such as cross-site scripting (XSS) attacks.
|
|||||
| CVE-2025-10534 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-10-30 | N/A | 8.1 HIGH |
|
Spoofing issue in the Site Permissions component. This vulnerability affects Firefox < 143 and Thunderbird < 143.
|
|||||
| CVE-2025-62528 | 1 Taguette | 1 Taguette | 2025-10-30 | N/A | 5.4 MEDIUM |
|
Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. This issue has been patched in version 1.5.0.
|
|||||
| CVE-2025-10869 | 1 Oct8ne | 1 Chatbot | 2025-10-30 | N/A | 6.1 MEDIUM |
|
Stored Cross-site Scripting (XSS) in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through /Data/SaveInteractions.
|
|||||
| CVE-2025-34253 | 1 Dlink | 1 Nuclias Connect | 2025-10-30 | N/A | 5.4 MEDIUM |
|
D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain a stored cross-site scripting (XSS) vulnerability due to improper sanitization of the 'Network' field when editing the configuration, creating a profile, and adding a network. An authenticated attacker can inject arbitrary JavaScript to be executed in the context of other users viewing the profile entry. NOTE: D-Link states that a fix is under development.
|
|||||
| CVE-2024-43573 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-30 | N/A | 6.5 MEDIUM |
|
Windows MSHTML Platform Spoofing Vulnerability
|
|||||
| CVE-2024-12374 | 1 Automatic1111 | 1 Stable-diffusion-webui | 2025-10-30 | N/A | 6.1 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in automatic1111/stable-diffusion-webui version git 82a973c. An attacker can upload an HTML file, which the application interprets as content-type application/html. If a victim accesses the malicious link, it will execute arbitrary JavaScript in the victim's browser.
|
|||||
| CVE-2025-12290 | 2025-10-30 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability has been found in Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0. Affected by this issue is some unknown functionality of the file /i/359. The manipulation of the argument keywords leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-12289 | 2025-10-30 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A flaw has been found in Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0. Affected by this vulnerability is an unknown functionality of the file /Point/index/activity_state/1/category_id/1001. Executing manipulation of the argument category_id can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-60983 | 2025-10-30 | N/A | 5.4 MEDIUM | ||
|
Reflected Cross Site Scripting vulnerability in Rubikon Banking Solution 4.0.3 in the "Search For Customers Information" endpoints.
|
|||||
| CVE-2025-61080 | 2025-10-30 | N/A | 5.4 MEDIUM | ||
|
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Clear2Pay Bank Visibility Application - Payment Execution 1.10.0.104 via the ID parameter in the URL.
|
|||||
| CVE-2025-62796 | 2025-10-30 | N/A | 5.8 MEDIUM | ||
|
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename (attachment_name) when attachments are enabled. An attacker can modify attachment_name before encryption so that, after decryption, arbitrary HTML is inserted unescaped into the page near the file size hint, enabling redirect (e.g., meta refresh) and site defacement and related phishing attacks. Script execution ...
Show More |
|||||
| CVE-2025-62793 | 2025-10-30 | N/A | 6.8 MEDIUM | ||
|
eLabFTW is an open source electronic lab notebook for research labs. The application served uploaded SVG files inline. Because SVG supports active content, an attacker could upload a crafted SVG that executes script when viewed, resulting in stored XSS under the application origin. A victim who opens the SVG URL or any page embedding it could have their session hijacked, data exfiltrated, or actions performed on their behalf. This vulnerability is fixed n 5.3.0.
|
|||||
| CVE-2025-62798 | 2025-10-30 | N/A | 5.4 MEDIUM | ||
|
Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .
|
|||||
| CVE-2025-34318 | 2025-10-30 | N/A | N/A | ||
|
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD parameters when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and these values are provided in the corresponding parameters. The values are stored an ...
Show More |
|||||
| CVE-2025-12475 | 2025-10-30 | N/A | 6.4 MEDIUM | ||
|
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-10348 | 2025-10-30 | N/A | N/A | ||
|
URVE Smart Office is vulnerable to Stored XSS in report problem functionality. An attacker with a low-privileged account can upload an SVG file containing a malicious payload, which will be executed when a victim visits the URL of the uploaded resource. The resource is available to anyone without any form of authentication.
This issue was fixed in version 1.1.24.
|
|||||
| CVE-2025-12450 | 2025-10-30 | N/A | 6.1 MEDIUM | ||
|
The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 7.5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-54384 | 2025-10-30 | N/A | 6.3 MEDIUM | ||
|
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector. This vulnerability has been fixed ...
Show More |
|||||
| CVE-2025-25009 | 1 Elastic | 1 Kibana | 2025-10-30 | N/A | 8.7 HIGH |
|
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
|
|||||
| CVE-2025-25017 | 1 Elastic | 1 Kibana | 2025-10-30 | N/A | 8.2 HIGH |
|
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
|
|||||