Total
485 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27099 | 1 Enalean | 1 Tuleap | 2025-07-10 | N/A | 4.8 MEDIUM |
|
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the tracker names used in the semantic timeframe deletion message. A tracker administrator with a semantic timeframe used by other trackers could use this vulnerability to force other tracker administrators to execute uncontrolled code. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740067916 and Tuleap Enterprise Edition 16.4-5 and 16.3- ...
Show More |
|||||
| CVE-2025-52902 | 1 Filebrowser | 1 Filebrowser | 2025-07-10 | N/A | 7.6 HIGH |
|
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue.
|
|||||
| CVE-2025-4367 | 1 W3eden | 1 Download Manager | 2025-07-09 | N/A | 6.4 MEDIUM |
|
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-27358 | 2025-07-08 | N/A | 4.6 MEDIUM | ||
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in N-Media Frontend File Manager allows Code Injection.This issue affects Frontend File Manager: from n/a through 23.2.
|
|||||
| CVE-2025-31326 | 2025-07-08 | N/A | 4.1 MEDIUM | ||
|
SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application behavior, such as redirecting users to attacker-controlled domains. This issue primarily affects the integrity of the system. However, the confidentiality and availability of the system remain unaffected.
|
|||||
| CVE-2025-53093 | 2025-06-30 | N/A | 8.6 HIGH | ||
|
TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. Version 3.1.1 contains a patch for the bug.
|
|||||
| CVE-2024-51472 | 1 Ibm | 2 Devops Deploy, Urbancode Deploy | 2025-06-20 | N/A | 3.1 LOW |
|
IBM UrbanCode Deploy (UCD) 7.2 through 7.2.3.13, 7.3 through 7.3.2.8, and IBM DevOps Deploy 8.0 through 8.0.1.3 are vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.
|
|||||
| CVE-2024-20382 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2025-06-06 | N/A | 6.1 MEDIUM |
|
A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to ...
Show More |
|||||
| CVE-2025-5686 | 2025-06-06 | N/A | 6.4 MEDIUM | ||
|
The Paged Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-51475 | 1 Ibm | 1 Content Navigator | 2025-06-04 | N/A | 5.4 MEDIUM |
|
IBM Content Navigator 3.0.11, 3.0.15, and 3.1.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
|
|||||
| CVE-2023-50933 | 1 Ibm | 1 Powersc | 2025-06-03 | N/A | 6.1 MEDIUM |
|
IBM PowerSC 1.3, 2.0, and 2.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 275113.
|
|||||
| CVE-2025-33138 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2025-05-30 | N/A | 5.4 MEDIUM |
|
IBM Aspera Faspex 5.0.0 through 5.0.12 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
|
|||||
| CVE-2023-46310 | 1 Gvectors | 1 Wpdiscuz | 2025-05-29 | N/A | 5.3 MEDIUM |
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through 7.6.10.
|
|||||
| CVE-2025-23392 | 2025-05-28 | N/A | 5.2 MEDIUM | ||
|
A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in spacewalk-java allows execution of arbitrary Javascript code on target systems.This issue affects Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container suse/manager/5.0/x86_6 ...
Show More |
|||||
| CVE-2025-23393 | 2025-05-28 | N/A | 5.2 MEDIUM | ||
|
A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in spacewalk-java allows execution of arbitrary Javascript code on users machines.This issue affects Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3.
|
|||||
| CVE-2024-41693 | 1 Priority-software | 1 Mashov | 2025-05-19 | N/A | 6.1 MEDIUM |
|
Mashov - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
|
|||||
| CVE-2025-4126 | 2025-05-16 | N/A | 6.4 MEDIUM | ||
|
The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will ex ...
Show More |
|||||
| CVE-2025-30161 | 1 Open-emr | 1 Openemr | 2025-05-13 | N/A | 5.4 MEDIUM |
|
OpenEMR is a free and open source electronic health records and medical practice management application. A stored XSS vulnerability in the Bronchitis form component of OpenEMR allows anyone who is able to edit a bronchitis form to steal credentials from administrators. This vulnerability is fixed in 7.0.3.
|
|||||
| CVE-2025-4168 | 2025-05-05 | N/A | 6.4 MEDIUM | ||
|
The Subpage List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'subpages' shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3521 | 2025-05-02 | N/A | 6.4 MEDIUM | ||
|
The Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social Link icons in all versions up to, and including, 3.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-28417 | 1 Webedition | 1 Webedition Cms | 2025-04-30 | N/A | 6.3 MEDIUM |
|
Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/we_cmd.php.
|
|||||
| CVE-2024-38469 | 1 Ibarn Project | 1 Ibarn | 2025-04-30 | N/A | 6.3 MEDIUM |
|
zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the $search parameter at /pay.php.
|
|||||
| CVE-2025-30676 | 1 Apache | 1 Ofbiz | 2025-04-29 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.19.
Users are recommended to upgrade to version 18.12.19, which fixes the issue.
|
|||||
| CVE-2022-46350 | 1 Siemens | 10 6gk5204-0ba00-2kb2, 6gk5204-0ba00-2kb2 Firmware, 6gk5204-0ba00-2mb2 and 7 more | 2025-04-22 | N/A | 6.1 MEDIUM |
|
A vulnerability has been identified in SCALANCE X204RNA (HSR) (All versions < V3.2.7), SCALANCE X204RNA (PRP) (All versions < V3.2.7), SCALANCE X204RNA EEC (HSR) (All versions < V3.2.7), SCALANCE X204RNA EEC (PRP) (All versions < V3.2.7), SCALANCE X204RNA EEC (PRP/HSR) (All versions < V3.2.7). The integrated web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. This can be used by an attacker to trigger a malicious request on ...
Show More |
|||||
| CVE-2024-42195 | 1 Hcltechsw | 2 Hcl Devops Deploy, Hcl Launch | 2025-04-21 | N/A | 3.1 LOW |
|
HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.
|
|||||
| CVE-2025-39524 | 2025-04-16 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in bPlugins Html5 Audio Player allows Stored XSS. This issue affects Html5 Audio Player: from n/a through 2.2.28.
|
|||||
| CVE-2024-33423 | 1 Cmsimple | 1 Cmsimple | 2025-04-14 | N/A | 7.4 HIGH |
|
Cross-Site Scripting (XSS) vulnerability in the Settings menu of CMSimple v5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Logout parameter under the Language section.
|
|||||
| CVE-2025-32230 | 2025-04-11 | N/A | 4.3 MEDIUM | ||
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS. This issue affects Tutor LMS: from n/a through 3.4.0.
|
|||||
| CVE-2023-29508 | 1 Xwiki | 1 Xwiki | 2025-04-11 | N/A | 8.9 HIGH |
|
XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.
|
|||||
| CVE-2024-32746 | 1 Wondercms | 1 Wondercms | 2025-04-11 | N/A | 4.6 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the MENU parameter under the Menu module.
|
|||||
| CVE-2025-0272 | 1 Hcltechsw | 2 Hcl Devops Deploy, Hcl Launch | 2025-04-10 | N/A | 5.4 MEDIUM |
|
HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.
|
|||||
| CVE-2025-1807 | 2025-04-09 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability, which was classified as problematic, was found in Eastnets PaymentSafe 2.5.26.0. This affects an unknown part of the file /directRouter.rfc of the component Edit Manual Reply Handler. The manipulation of the argument Title leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.27.0 is able to address this issue.
|
|||||
| CVE-2025-31384 | 2025-04-07 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5.
|
|||||
| CVE-2025-25363 | 1 Thepluginpeople | 1 Enterprise Mail Handler | 2025-04-03 | N/A | 6.5 MEDIUM |
|
An authenticated stored cross-site scripting (XSS) vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center (JEMH) before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in context of a user's browser via injecting a crafted payload into the HTML field of a template.
|
|||||
| CVE-2006-0149 | 1 Simpbook | 1 Simpbook | 2025-04-03 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with html_enable on (the default), allows remote attackers to inject arbitrary web script or HTML via the message field.
|
|||||
| CVE-2024-31062 | 1 Munyweki | 1 Insurance Management System | 2025-04-03 | N/A | 6.3 MEDIUM |
|
Cross Site Scripting vulnerability in Insurance Mangement System v.1.0.0 and before allows a remote attacker to execute arbitrary code via the Street input field.
|
|||||
| CVE-2024-25873 | 1 Enhavo | 1 Enhavo | 2025-04-02 | N/A | 5.4 MEDIUM |
|
Enhavo v0.13.1 was discovered to contain an HTML injection vulnerability in the Author text field under the Blockquote module. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
|
|||||
| CVE-2025-29431 | 1 Code-projects | 1 Online Class And Exam Scheduling System | 2025-04-02 | N/A | 3.2 LOW |
|
Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/department.php via the id, code, and name parameters.
|
|||||
| CVE-2025-29426 | 1 Code-projects | 1 Online Class And Exam Scheduling System | 2025-04-02 | N/A | 4.6 MEDIUM |
|
Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/class.php via the id and cys parameters.
|
|||||
| CVE-2025-31575 | 2025-04-01 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Vasilis Triantafyllou Flag Icons allows Stored XSS. This issue affects Flag Icons: from n/a through 2.2.
|
|||||