Total
37625 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-51182 | 1 Celk | 1 Celk Saude | 2025-05-23 | N/A | 6.1 MEDIUM |
| HTML Injection vulnerability in Celk Sistemas Celk Saude v.3.1.252.1 allows a remote attacker to inject arbitrary HTML code via the "erro" parameter. | |||||
| CVE-2024-2020 | 1 Codepeople | 1 Calculated Fields Form | 2025-05-23 | N/A | 7.2 HIGH |
| The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher. | |||||
| CVE-2024-28662 | 1 Piwigo | 1 Piwigo | 2025-05-23 | N/A | 5.4 MEDIUM |
| A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php. | |||||
| CVE-2024-25934 | 1 Formfacade | 1 Formfacade | 2025-05-23 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FormFacade allows Stored XSS.This issue affects FormFacade: from n/a through 1.0.0. | |||||
| CVE-2025-0790 | 1 Esafenet | 1 Cdg | 2025-05-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic was found in ESAFENET CDG V5. This vulnerability affects unknown code of the file /doneDetail.jsp. The manipulation of the argument curpage leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4461 | 1 Totolink | 2 N150rt, N150rt Firmware | 2025-05-23 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic was found in TOTOLINK N150RT 3.4.0-B20190525. This vulnerability affects unknown code of the component Virtual Server Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4460 | 1 Totolink | 2 N150rt, N150rt Firmware | 2025-05-23 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic has been found in TOTOLINK N150RT 3.4.0-B20190525. This affects an unknown part of the component URL Filtering Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-13858 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-22 | N/A | 6.4 MEDIUM |
| The BuddyBoss Platform plugin and BuddyBoss Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘invitee_name’ parameter in all versions up to, and including, 2.8.50 and 2.8.41, respectively, due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in the BuddyBoss Platform plugin in version 2.8.41. | |||||
| CVE-2022-40358 | 1 Ajaxplorer | 1 Ajaxplorer | 2025-05-22 | N/A | 5.4 MEDIUM |
| An issue was discovered in AjaXplorer 4.2.3, allows attackers to cause cross site scripting vulnerabilities via a crafted svg file upload. | |||||
| CVE-2022-35721 | 3 Ibm, Linux, Microsoft | 4 Aix, Jazz For Service Management, Linux Kernel and 1 more | 2025-05-22 | N/A | 5.4 MEDIUM |
| IBM Jazz for Service Management 1.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 231380. | |||||
| CVE-2022-35251 | 1 Rocket.chat | 1 Rocket.chat | 2025-05-22 | N/A | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. Hence the payloads are stored in messages, it is a persistent attack vector, which will trigger as soon as the message gets viewed. | |||||
| CVE-2022-30577 | 1 Tibco | 1 Ebx | 2025-05-22 | N/A | 8.0 HIGH |
| The Web Server component of TIBCO Software Inc.'s TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 6.0.0 through 6.0.8. | |||||
| CVE-2022-2413 | 1 Simonpedge | 1 Slide Anything | 2025-05-22 | N/A | 5.4 MEDIUM |
| The Slide Anything WordPress plugin before 2.3.47 does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfiltered_html capability is disabled. | |||||
| CVE-2021-36739 | 1 Apache | 1 Pluto | 2025-05-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks. | |||||
| CVE-2021-25022 | 1 Updraftplus | 1 Updraftplus | 2025-05-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24964 | 1 Litespeedtech | 1 Litespeed Cache | 2025-05-22 | 2.6 LOW | 6.1 MEDIUM |
| The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users. | |||||
| CVE-2024-12732 | 1 Cr1000 | 1 Affiliateimportereb | 2025-05-22 | N/A | 6.1 MEDIUM |
| The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-12733 | 1 Cr1000 | 1 Affiliateimportereb | 2025-05-22 | N/A | 6.1 MEDIUM |
| The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-12734 | 1 Niceit | 1 Advance Post Prefix | 2025-05-22 | N/A | 6.1 MEDIUM |
| The Advance Post Prefix WordPress plugin through 1.1.1, Advance Post Prefix WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-13127 | 1 Thimpress | 1 Learnpress | 2025-05-22 | N/A | 4.8 MEDIUM |
| The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||