Total
44681 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67078 | 1 Agora-project | 1 Agora-project | 2026-06-17 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors. | |||||
| CVE-2025-67025 | 1 Anycomment | 1 Anycomment.io | 2026-06-17 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section | |||||
| CVE-2025-66939 | 1 Altumcode | 1 66biolinks | 2026-06-17 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file | |||||
| CVE-2025-66924 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2026-06-17 | N/A | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter. | |||||
| CVE-2025-66923 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2026-06-17 | N/A | 7.2 HIGH |
| A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter. | |||||
| CVE-2025-66921 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2026-06-17 | N/A | 7.2 HIGH |
| A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter. | |||||
| CVE-2025-66918 | 1 Hashenudara | 1 Edoc-doctor-appointment-system | 2026-06-17 | N/A | 8.8 HIGH |
| edoc-doctor-appointment-system v1.0.1 is vulnerable to Cross Site Scripting (XSS) in admin/add-session.php via the "title" parameter. | |||||
| CVE-2025-66880 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting vulnerability in Wethink Technology Inc 720yun pano-sdk 0.5.877 allows a remote attacker to execute arbitrary code via the LoginComp (Module 2093) and SignupComp (Module 2094) modules. | |||||
| CVE-2025-66845 | 1 Nooncarlett | 1 Techstore | 2026-06-17 | N/A | 6.1 MEDIUM |
| A reflected Cross-Site Scripting (XSS) vulnerability has been identified in TechStore version 1.0. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim’s browser. | |||||
| CVE-2025-66843 | 1 Getgrav | 1 Grav | 2026-06-17 | N/A | 5.4 MEDIUM |
| grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page. | |||||
| CVE-2025-66824 | 1 Trueconf | 1 Server | 2026-06-17 | N/A | 8.7 HIGH |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meeting_room parameter and executed when users visit the Conference Info page, allowing attackers to achieve full Account Takeover (ATO). This issue is caused by improper sanitization of user-supplied input in the meeting_room field. | |||||
| CVE-2025-66823 | 1 Trueconf | 1 Server | 2026-06-17 | N/A | 5.4 MEDIUM |
| An HTML Injection vulnerability in TrueConf server 5.5.2.10813 in the conference description field allows an attacker to inject arbitrary HTML in the Create/Edit conference functionality. The payload will be triggered when the victim opens the Conference Info page ([conference url]/info). | |||||
| CVE-2025-66686 | 1 Grabaperch | 1 Perch | 2026-06-17 | N/A | 6.1 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. The injected payload is stored and executed when any authenticated user clicks the Help button, potentially leading to session hijacking, information disclosure, privilege escalation, and unauthorized administrative actions. | |||||
| CVE-2025-66648 | 1 Vega-functions Project | 1 Vega-functions | 2026-06-17 | N/A | 7.2 HIGH |
| vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue. | |||||
| CVE-2025-66580 | 1 Openagentplatform | 1 Dive | 2026-06-17 | N/A | 9.6 CRITICAL |
| Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue. | |||||
| CVE-2025-66574 | 1 Compassplustechnologies | 1 Tranzaxis | 2026-06-17 | N/A | 5.4 MEDIUM |
| TranzAxis 3.2.41.10.26 allows authenticated users to inject cross-site scripting via the `Open Object in Tree` endpoint, allowing attackers to steal session cookies and potentially escalate privileges. | |||||
| CVE-2025-66563 | 1 Monkeytype | 1 Monkeytype | 2026-06-17 | N/A | 6.1 MEDIUM |
| Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags). | |||||
| CVE-2025-66562 | 1 Aiql | 1 Tuui | 2026-06-17 | N/A | 9.6 CRITICAL |
| TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuui due to an unsafe Cross-Site Scripting (XSS) flaw in the Markdown rendering component. Tuui allows the execution of arbitrary JavaScript within ECharts code blocks. Combined with an exposed IPC interface that allows spawning processes, an attacker can execute arbitrary system commands on the victim's machine simply by having them view a malicious Markdown message. This vulnerability is fixed in 1.3.4. | |||||
| CVE-2025-66561 | 1 Syslifters | 1 Sysreptor | 2026-06-17 | N/A | 7.3 HIGH |
| SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This vulnerability is fixed in 2025.102. | |||||
| CVE-2025-66554 | 1 Nextcloud | 1 Contacts | 2026-06-17 | N/A | 3.5 LOW |
| Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5. | |||||