Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25018 | 1 Elastic | 1 Kibana | 2025-10-30 | N/A | 8.7 HIGH |
|
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
|
|||||
| CVE-2025-52620 | 1 Hcltech | 1 Bigfix Saas | 2025-10-29 | N/A | 4.3 MEDIUM |
|
HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format.
|
|||||
| CVE-2025-58747 | 1 Langgenius | 1 Dify | 2025-10-29 | N/A | 6.1 MEDIUM |
|
Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorization_url provided by a remote MCP server is directly passed to window.open without validation or sanitization. An attacker can craft a malicious MCP server that returns a JavaScript URI (such as javascript:alert( ...
Show More |
|||||
| CVE-2025-8681 | 1 Pega | 1 Pega Platform | 2025-10-29 | N/A | 5.5 MEDIUM |
|
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role.
|
|||||
| CVE-2023-7143 | 1 Fabian | 1 Client Details System | 2025-10-29 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in code-projects Client Details System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/regester.php. The manipulation of the argument fname/lname/email/contact leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249146 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2022-41299 | 1 Ibm | 1 Transformation Advisor | 2025-10-29 | N/A | 4.4 MEDIUM |
|
IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 237214.
|
|||||
| CVE-2025-60302 | 1 Fabian | 1 Client Details System | 2025-10-29 | N/A | 6.1 MEDIUM |
|
code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting (XSS). When adding customer information, the client details system fills in malicious JavaScript code in the username field.
|
|||||
| CVE-2024-12211 | 1 Pega | 1 Pega Platform | 2025-10-29 | N/A | 5.4 MEDIUM |
|
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
|
|||||
| CVE-2024-39594 | 1 Sap | 2 Business Warehouse, Business Warehouse Virtual Comp | 2025-10-29 | N/A | 6.1 MEDIUM |
|
SAP Business Warehouse - Business Planning and
Simulation application does not sufficiently encode user controlled inputs,
resulting in Reflected Cross-Site Scripting (XSS) vulnerability. After
successful exploitation, an attacker can cause low impact on the confidentiality
and integrity of the application.
|
|||||
| CVE-2021-31693 | 1 10web | 1 Photo Gallery | 2025-10-29 | N/A | 6.1 MEDIUM |
|
The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_album_search_0, and type_0 for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-46889. NOTE: VMware information, previously connected to this CVE ID because of a typo, is at CVE-2022-31693.
|
|||||
| CVE-2024-3575 | 1 Mindsdb | 1 Mindsdb | 2025-10-29 | N/A | 6.1 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb
|
|||||
| CVE-2024-5410 | 1 Oringnet | 2 Iap-420, Iap-420 Firmware | 2025-10-29 | N/A | 5.4 MEDIUM |
|
Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below.
|
|||||
| CVE-2024-30112 | 1 Hcltech | 1 Connections | 2025-10-28 | N/A | 5.4 MEDIUM |
|
HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.
|
|||||
| CVE-2024-39595 | 1 Sap | 2 Business Warehouse, Business Warehouse Virtual Comp | 2025-10-28 | N/A | 5.4 MEDIUM |
|
SAP Business Warehouse - Business Planning and
Simulation application does not sufficiently encode user-controlled inputs,
resulting in Stored Cross-Site Scripting (XSS) vulnerability. This
vulnerability allows users to modify website content and on successful
exploitation, an attacker can cause low impact to the confidentiality and
integrity of the application.
|
|||||
| CVE-2024-0640 | 1 Chatwoot | 1 Chatwoot | 2025-10-28 | N/A | 4.8 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard app. The issue is fixed in version 3.5.2.
|
|||||
| CVE-2024-10088 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | N/A | 6.1 MEDIUM |
|
Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a login form with a malicious script, what causes the script to run in user's context.
This vulnerability has been patched in version 79.0
|
|||||
| CVE-2024-10089 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | N/A | 5.4 MEDIUM |
|
Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for changing user's data with a malicious script, what causes the script to run in user's context.
This vulnerability has been patched in version 79.0
|
|||||
| CVE-2024-10090 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | N/A | 6.1 MEDIUM |
|
Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for adding users with a malicious script, what causes the script to run in user's context.
This vulnerability has been patched in version 79.0
|
|||||
| CVE-2024-13598 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | N/A | 6.1 MEDIUM |
|
Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. Using a functionality of creating new form fields one creates new parameters vulnerable to XSS attacks. A user tricked into filling such a form with a malicious script will run the code in their's context.
This vulnerability has been patched in version 79.0
|
|||||
| CVE-2024-49707 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | N/A | 6.1 MEDIUM |
|
Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for resetting user's password with a malicious script, what causes the script to run in user's context.
This vulnerability has been patched in version 79.0
|
|||||
| CVE-2024-49708 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | N/A | 5.4 MEDIUM |
|
Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for setting delivery address with a malicious script, what causes the script to run in user's context.
This vulnerability has been patched in version 79.0
|
|||||
| CVE-2025-27441 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2025-10-28 | N/A | 4.6 MEDIUM |
|
Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.
|
|||||
| CVE-2025-27442 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2025-10-28 | N/A | 4.6 MEDIUM |
|
Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.
|
|||||
| CVE-2024-10087 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | N/A | 5.4 MEDIUM |
|
Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might craft a link containing a malicious script, which then gets directly embedded in references to other resources, what causes the script to run in user's context multiple times.
This vulnerability has been patched in version 79.0
|
|||||
| CVE-2025-59838 | 1 Monkeytype | 1 Monkeytype | 2025-10-28 | N/A | 5.4 MEDIUM |
|
Monkeytype is a minimalistic and customizable typing test. In versions 25.36.0 and prior, improper handling of user input when loading a saved custom text results in XSS. This issue has been fixed in version 25.44.0.
|
|||||
| CVE-2020-3580 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2025-10-28 | 2.6 LOW | 6.1 MEDIUM |
|
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by ...
Show More |
|||||
| CVE-2025-41384 | 1 Salesagility | 1 Suitecrm | 2025-10-28 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary domain but will allow the JavaScript code to execute.
|
|||||
| CVE-2025-60859 | 1 Sir | 1 Gnuboard | 2025-10-28 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Gnuboard 5.6.15 allows authenticated attackers to execute arbitrary code via crafted c_id parameter in bbs/view_comment.php.
|
|||||
| CVE-2025-60936 | 1 Openenergymonitor | 1 Emoncms | 2025-10-28 | N/A | 6.1 MEDIUM |
|
Emoncms 11.7.3 is vulnerable to Cross Site in the input handling mechanism. This vulnerability allows authenticated attackers with API access to inject malicious JavaScript code that executes when administrators view the application logs.
|
|||||
| CVE-2025-12279 | 1 Fabian | 1 Client Details System | 2025-10-28 | 3.3 LOW | 2.4 LOW |
|
A vulnerability has been found in code-projects Client Details System 1.0. This vulnerability affects unknown code of the file /welcome.php. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-12228 | 1 Projectworlds | 1 Expense Management System | 2025-10-28 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was identified in projectworlds Expense Management System 1.0. The impacted element is an unknown function of the file /public/admin/users/create of the component Users Page. The manipulation leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2025-12231 | 1 Projectworlds | 1 Expense Management System | 2025-10-28 | 3.3 LOW | 2.4 LOW |
|
A security vulnerability has been detected in projectworlds Expense Management System 1.0. Affected is an unknown function of the file /public/admin/expense_categories/create of the component Expense Categories Page. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2025-12244 | 1 Fabian | 1 Simple E-banking System | 2025-10-28 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was determined in code-projects Simple E-Banking System 1.0. This affects an unknown part of the file /eBank/register.php. Executing manipulation of the argument Username can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
|
|||||
| CVE-2025-12246 | 1 Chatwoot | 1 Chatwoot | 2025-10-28 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A security flaw has been discovered in chatwoot up to 4.7.0. This issue affects some unknown processing of the file app/javascript/shared/components/IframeLoader.vue of the component Admin Interface. The manipulation of the argument Link results in cross site scripting. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-10372 | 1 Portabilis | 1 I-educar | 2025-10-28 | 4.0 MEDIUM | 3.5 LOW |
|
A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /intranet/educar_modulo_cad.php. This manipulation of the argument nm_tipo/descricao causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2025-30950 | 2025-10-27 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham All Currencies for WooCommerce woocommerce-all-currencies allows Stored XSS.This issue affects All Currencies for WooCommerce: from n/a through 2.4.3.
|
|||||
| CVE-2025-60837 | 1 Mingsoft | 1 Mcms | 2025-10-27 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload.
|
|||||
| CVE-2025-42956 | 1 Sap | 1 Sap Basis | 2025-10-27 | N/A | 6.1 MEDIUM |
|
SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.
|
|||||
| CVE-2025-55757 | 2025-10-27 | N/A | 6.1 MEDIUM | ||
|
A unauthenticated reflected XSS vulnerability in VirtueMart 1.0.0-4.4.10 for Joomla was discovered.
|
|||||
| CVE-2025-28380 | 1 Openc3 | 1 Cosmos | 2025-10-27 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the URL parameter.
|
|||||