Total
39253 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64194 | 2025-10-30 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Eduma eduma allows Stored XSS.This issue affects Eduma: from n/a through <= 5.7.6. | |||||
| CVE-2025-64289 | 2025-10-30 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows Stored XSS.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.4. | |||||
| CVE-2025-12450 | 2025-10-30 | N/A | 6.1 MEDIUM | ||
| The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 7.5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-64202 | 2025-10-30 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Sahifa sahifa allows DOM-Based XSS.This issue affects Sahifa: from n/a through < 5.8.6. | |||||
| CVE-2025-64208 | 2025-10-30 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Jannah - Extensions jannah-extensions allows DOM-Based XSS.This issue affects Jannah - Extensions: from n/a through <= 1.1.4. | |||||
| CVE-2025-64200 | 2025-10-30 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Email Template Customizer for WooCommerce email-template-customizer-for-woo allows Stored XSS.This issue affects Email Template Customizer for WooCommerce: from n/a through <= 1.2.17. | |||||
| CVE-2025-64220 | 2025-10-30 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReyCommerce Rey Core rey-core allows Stored XSS.This issue affects Rey Core: from n/a through <= 3.1.8. | |||||
| CVE-2025-12475 | 2025-10-30 | N/A | 6.4 MEDIUM | ||
| The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-25009 | 1 Elastic | 1 Kibana | 2025-10-30 | N/A | 8.7 HIGH |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. | |||||
| CVE-2025-25017 | 1 Elastic | 1 Kibana | 2025-10-30 | N/A | 8.2 HIGH |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS) | |||||
| CVE-2025-25018 | 1 Elastic | 1 Kibana | 2025-10-30 | N/A | 8.7 HIGH |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS) | |||||
| CVE-2025-52620 | 1 Hcltech | 1 Bigfix Saas | 2025-10-29 | N/A | 4.3 MEDIUM |
| HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format. | |||||
| CVE-2025-58747 | 1 Langgenius | 1 Dify | 2025-10-29 | N/A | 6.1 MEDIUM |
| Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorization_url provided by a remote MCP server is directly passed to window.open without validation or sanitization. An attacker can craft a malicious MCP server that returns a JavaScript URI (such as javascript:alert(1)) in the authorization_url field, which is then executed when the victim attempts to connect to the MCP server. This allows the attacker to execute arbitrary JavaScript in the context of the Dify application. | |||||
| CVE-2025-8681 | 1 Pega | 1 Pega Platform | 2025-10-29 | N/A | 5.5 MEDIUM |
| Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Â Requires a high privileged user with a developer role. | |||||
| CVE-2023-7143 | 1 Fabian | 1 Client Details System | 2025-10-29 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in code-projects Client Details System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/regester.php. The manipulation of the argument fname/lname/email/contact leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249146 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-41299 | 1 Ibm | 1 Transformation Advisor | 2025-10-29 | N/A | 4.4 MEDIUM |
| IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 237214. | |||||
| CVE-2025-60302 | 1 Fabian | 1 Client Details System | 2025-10-29 | N/A | 6.1 MEDIUM |
| code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting (XSS). When adding customer information, the client details system fills in malicious JavaScript code in the username field. | |||||
| CVE-2024-30147 | 1 Hcltech | 1 Leap | 2025-10-29 | N/A | 6.5 MEDIUM |
| Multiple vectors in HCL Leap allow client-side script injection in the authoring environment and deployed applications. | |||||
| CVE-2024-30114 | 1 Hcltech | 1 Leap | 2025-10-29 | N/A | 3.7 LOW |
| Insufficient sanitization in HCL Leap allows client-side script injection in the authoring environment. | |||||
| CVE-2024-30113 | 1 Hcltech | 1 Leap | 2025-10-29 | N/A | 6.3 MEDIUM |
| Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget. | |||||