Vulnerabilities (CVE)

Filtered by CWE-79
Total 44692 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-67787 1 Drivelock 1 Drivelock 2026-06-17 N/A 9.6 CRITICAL
An issue was discovered in 25.1.2 before 25.1.5. A Cross Site Scripting (XSS) issue in DriveLock Operations Center allows for session takeover over a network.
CVE-2025-67741 1 Jetbrains 1 Teamcity 2026-06-17 N/A 4.6 MEDIUM
In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute
CVE-2025-67734 1 Frappe 1 Learning 2026-06-17 N/A 5.4 MEDIUM
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0.
CVE-2025-67730 1 Frappe 1 Learning 2026-06-17 N/A 5.4 MEDIUM
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.
CVE-2025-67724 1 Tornadoweb 1 Tornado 2026-06-17 N/A 5.4 MEDIUM
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.
CVE-2025-67723 1 Discourse 1 Discourse 2026-06-17 N/A 4.6 MEDIUM
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX.
CVE-2025-67712 2026-06-17 N/A 4.7 MEDIUM
There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired and unsupported. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability.
CVE-2025-67711 3 Esri, Linux, Microsoft 3 Arcgis Server, Linux Kernel, Windows 2026-06-17 N/A 6.1 MEDIUM
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
CVE-2025-67710 3 Esri, Linux, Microsoft 3 Arcgis Server, Linux Kernel, Windows 2026-06-17 N/A 6.1 MEDIUM
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
CVE-2025-67709 3 Esri, Linux, Microsoft 3 Arcgis Server, Linux Kernel, Windows 2026-06-17 N/A 6.1 MEDIUM
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
CVE-2025-67708 3 Esri, Linux, Microsoft 3 Arcgis Server, Linux Kernel, Windows 2026-06-17 N/A 6.1 MEDIUM
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
CVE-2025-67705 3 Esri, Linux, Microsoft 3 Arcgis Server, Linux Kernel, Windows 2026-06-17 N/A 6.1 MEDIUM
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
CVE-2025-67704 3 Esri, Linux, Microsoft 3 Arcgis Server, Linux Kernel, Windows 2026-06-17 N/A 6.1 MEDIUM
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
CVE-2025-67703 3 Esri, Linux, Microsoft 3 Arcgis Server, Linux Kernel, Windows 2026-06-17 N/A 6.1 MEDIUM
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
CVE-2025-67683 1 Opensolution 1 Quick.cart 2026-06-17 N/A 6.1 MEDIUM
Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVE-2025-67648 1 Shopware 1 Shopware 2026-06-17 N/A 7.1 HIGH
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.
CVE-2025-67641 1 Jenkins 1 Coverage 2026-06-17 N/A 5.4 MEDIUM
Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a `javascript:` scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.
CVE-2025-67634 1 Cisa 1 Software Acquisition Guide 2026-06-17 N/A 4.4 MEDIUM
The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').
CVE-2025-67633 2026-06-17 N/A 5.9 MEDIUM
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brownbagmarketing Greenhouse Job Board greenhouse-job-board allows DOM-Based XSS.This issue affects Greenhouse Job Board: from n/a through <= 2.7.3.
CVE-2025-67632 2026-06-17 N/A 5.9 MEDIUM
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Plugin Factory Google AdSense for Responsive Design – GARD google-adsense-for-responsive-design-gard allows DOM-Based XSS.This issue affects Google AdSense for Responsive Design – GARD: from n/a through <= 2.23.