Total
39592 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-39923 | 1 Mahara | 1 Mahara | 2025-09-05 | N/A | 6.1 MEDIUM |
| An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person. | |||||
| CVE-2024-45753 | 1 Mahara | 1 Mahara | 2025-09-05 | N/A | 6.1 MEDIUM |
| In Mahara 23.04.8 and 24.04.4, the external RSS feed block can cause XSS if the external feed XML has a malicious value for the link attribute. | |||||
| CVE-2024-35203 | 1 Mahara | 1 Mahara | 2025-09-05 | N/A | 6.1 MEDIUM |
| Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara filebrowser system. | |||||
| CVE-2024-13308 | 1 Browser Back Button Project | 1 Browser Back Button | 2025-09-05 | N/A | 3.8 LOW |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Browser Back Button allows Cross-Site Scripting (XSS).This issue affects Browser Back Button: from 1.0.0 before 2.0.2. | |||||
| CVE-2024-54138 | 1 Microsoft | 1 Nugetgallery | 2025-09-05 | N/A | 6.1 MEDIUM |
| NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. This vulnerability is fixed in 2024.12.06. | |||||
| CVE-2025-55107 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | |||||
| CVE-2025-55106 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | |||||
| CVE-2025-55105 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | |||||
| CVE-2025-55104 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied JavaScript may execute in the victim's browser. | |||||
| CVE-2025-55103 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | |||||
| CVE-2025-3246 | 1 Github | 1 Enterprise Server | 2025-09-05 | N/A | 7.6 HIGH |
| An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2024-56112 | 1 Cyberpanel | 1 Cyberpanel | 2025-09-05 | N/A | 6.1 MEDIUM |
| CyberPanel (aka Cyber Panel) before f0cf648 allows XSS via token or username to plogical/phpmyadminsignin.php. | |||||
| CVE-2024-51112 | 1 Pnetlab | 1 Pnetlab | 2025-09-05 | N/A | 6.1 MEDIUM |
| Open Redirect vulnerability in Pnetlab 5.3.11 allows an attacker to manipulate URLs to redirect users to arbitrary external websites via a crafted script | |||||
| CVE-2024-51111 | 1 Pnetlab | 1 Pnetlab | 2025-09-05 | N/A | 4.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in Pnetlab 5.3.11 allows an attacker to inject malicious scripts into a web page, which are executed in the context of the victim's browser. | |||||
| CVE-2024-55074 | 1 Grocy Project | 1 Grocy | 2025-09-05 | N/A | 8.8 HIGH |
| The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370. | |||||
| CVE-2024-52520 | 1 Nextcloud | 1 Nextcloud Server | 2025-09-05 | N/A | 5.7 MEDIUM |
| Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7. | |||||
| CVE-2024-37161 | 1 Metersphere | 1 Metersphere | 2025-09-04 | N/A | 4.0 MEDIUM |
| MeterSphere is an open source continuous testing platform. Prior to version 1.10.1-lts, the system's step editor stores cross-site scripting vulnerabilities. Version 1.10.1-lts fixes this issue. | |||||
| CVE-2024-37304 | 1 Microsoft | 1 Nugetgallery | 2025-09-04 | N/A | 6.1 MEDIUM |
| NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. When a user inputs a Markdown autolink such as `<javascript:alert(1)>`, the link is rendered without proper sanitization. This means that the JavaScript code within the autolink can be executed by the browser, leading to an XSS attack. Version 2024.05.28 contains a patch for this issue. | |||||
| CVE-2025-9754 | 1 Campcodes | 1 Online Hospital Management System | 2025-09-04 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in Campcodes Online Hospital Management System 1.0. The impacted element is an unknown function of the file /edit-profile.php of the component Edit Profile Page. Executing manipulation of the argument Username can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2025-9753 | 1 Campcodes | 1 Online Hospital Management System | 2025-09-04 | 3.3 LOW | 2.4 LOW |
| A vulnerability was detected in Campcodes Online Hospital Management System 1.0. The affected element is an unknown function of the file /admin/patient-search.php of the component Patient Search Module. Performing manipulation of the argument Search by Name Mobile No results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. | |||||