Total
44676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-65790 | 1 Realtimelogic | 1 Fuguhub | 2026-06-17 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in FuguHub 8.1 when serving SVG files through the /fs/ file manager interface. FuguHub does not sanitize or restrict script execution inside SVG content. When a victim opens a crafted SVG containing an inline <script> element, the browser executes the attacker-controlled JavaScript. | |||||
| CVE-2025-65778 | 1 Wekan Project | 1 Wekan | 2026-06-17 | N/A | 8.1 HIGH |
| An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token theft and CSRF actions. | |||||
| CVE-2025-65754 | 1 Algernon Project | 1 Algernon | 2026-06-17 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename. | |||||
| CVE-2025-65734 | 1 Openeclass | 1 Openeclass | 2026-06-17 | N/A | 5.4 MEDIUM |
| An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file. | |||||
| CVE-2025-65717 | 1 Ritwickdey | 1 Live Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| An issue in Visual Studio Code Extensions Live Server v5.7.9 allows attackers to exfiltrate files via user interaction with a crafted HTML page. | |||||
| CVE-2025-65676 | 1 Classroomio | 1 Classroomio | 2026-06-17 | N/A | 5.4 MEDIUM |
| Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. | |||||
| CVE-2025-65675 | 1 Classroomio | 1 Classroomio | 2026-06-17 | N/A | 5.4 MEDIUM |
| Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures. | |||||
| CVE-2025-65640 | 2026-06-17 | N/A | 6.3 MEDIUM | ||
| Cross Site Scripting (XSS) vulnerability in the "Task in Progress / Recent" page in Arket Globe Document Intelligence 5.0.0.559 due to improper sanitization of user input in text fields when creating a new document. Specifically, when an authenticated attacker submits data containing JavaScript code within these fields, the application fails to properly sanitize or escape the content. As a result, the injected script is executed when the page is rendered, allowing the attacker to execute arbitrary JavaScript in the context of other users' browsers who view the affected page. | |||||
| CVE-2025-65622 | 1 Snipeitapp | 1 Snipe-it | 2026-06-17 | N/A | 5.4 MEDIUM |
| Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | |||||
| CVE-2025-65621 | 1 Snipeitapp | 1 Snipe-it | 2026-06-17 | N/A | 5.4 MEDIUM |
| Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. | |||||
| CVE-2025-65592 | 1 Nopcommerce | 1 Nopcommerce | 2026-06-17 | N/A | 6.1 MEDIUM |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages. | |||||
| CVE-2025-65591 | 1 Nopcommerce | 1 Nopcommerce | 2026-06-17 | N/A | 5.4 MEDIUM |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality. | |||||
| CVE-2025-65590 | 1 Nopcommerce | 1 Nopcommerce | 2026-06-17 | N/A | 5.4 MEDIUM |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area. | |||||
| CVE-2025-65589 | 1 Nopcommerce | 1 Nopcommerce | 2026-06-17 | N/A | 6.1 MEDIUM |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality. | |||||
| CVE-2025-65572 | 1 Allskyteam | 1 Allsky | 2026-06-17 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in status_messages.php will print out the error messages and execute the script injected by the attacker. | |||||
| CVE-2025-65540 | 1 Exrick | 1 Xmall | 2026-06-17 | N/A | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts. | |||||
| CVE-2025-65516 | 1 Seafile | 1 Seafile Server | 2026-06-17 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was discovered in Seafile Community Edition prior to version 13.0.12. When Seafile is configured with the Golang file server, an attacker can upload a crafted SVG file containing malicious JavaScript and share it using a public link. Opening the link triggers script execution in the victim's browser. This issue has been fixed in Seafile Community Edition 13.0.12. | |||||
| CVE-2025-65465 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| A reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to execute arbitrary web script or HTML via a crafted payload in a filename parameter (e.g., to the FileRead function). This occurs because the error message is not properly sanitized before being output to the user. This vulnerability is fixed in version 2.18. | |||||
| CVE-2025-65442 | 1 Xxyopen | 1 Novel | 2026-06-17 | N/A | 6.1 MEDIUM |
| DOM-based Cross-Site Scripting (XSS) vulnerability in 201206030 novel V3.5.0 allows remote attackers to execute arbitrary JavaScript code or disclose sensitive information (e.g., user session cookies) via a crafted "wvstest" parameter in the URL or malicious script injection into window.localStorage. The vulnerability arises from insufficient validation and encoding of user-controllable data in the book comment module: unfiltered user input is stored in the backend database (book_comment table, commentContent field) and returned via API, then rendered directly into the page DOM via Vue 3's v-html directive without sanitization. Even if modern browsers' built-in XSS filters block pop-up alerts, attackers can use concealed payloads to bypass interception and achieve actual harm. | |||||
| CVE-2025-65417 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| docuFORM Managed Print Service Client 11.11c is vulnerable to a reflected cross site scripting attack via the login page of the application. | |||||