Total
44676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-65368 | 1 Codewithcj | 1 Sparkyfitness | 2026-06-17 | N/A | 6.1 MEDIUM |
| SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. | |||||
| CVE-2025-65349 | 1 Eachitaly | 2 Wireless Mini Router Wireless-n 300m, Wireless Mini Router Wireless-n 300m Firmware | 2026-06-17 | N/A | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts via a crafted payload due to unsanitized repeater AP SSID value when is displayed in any page at /index.htm. | |||||
| CVE-2025-65300 | 1 Coohom | 1 Coohom | 2026-06-17 | N/A | 5.4 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) in the Account Settings module, where unsanitized user input in Address fields (City, State, Country/Region) is rendered back to the page. Attackers can inject arbitrary JavaScript code, which executes when the affected profile page is viewed. This can lead to session hijacking, cookie theft, or arbitrary script execution in the victim's browser. | |||||
| CVE-2025-65289 | 1 Mercurycom | 2 Mr816, Mr816 Firmware | 2026-06-17 | N/A | 6.1 MEDIUM |
| A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hostname. The injected script is stored and later executed in the context of an administrator's browser (for example after DHCP release/renew triggers the interface to display the stored hostname). Because the management interface uses weak/basic authentication and does not properly protect or isolate session material, the XSS can be used to exfiltrate the admin session and perform administrative actions. | |||||
| CVE-2025-65270 | 1 Clincapture | 1 Captivate Electronic Data Capture | 2026-06-17 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting (XSS) vulnerability in ClinCapture EDC 3.0 and 2.2.3, allowing an unauthenticated remote attacker to execute JavaScript code in the context of the victim's browser. | |||||
| CVE-2025-65267 | 1 Frappe | 2 Erpnext, Frappe | 2026-06-17 | N/A | 9.0 CRITICAL |
| In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance. | |||||
| CVE-2025-65237 | 1 Opencode | 1 Ussd Gateway | 2026-06-17 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload. | |||||
| CVE-2025-65233 | 1 Slims Project | 1 Slims | 2026-06-17 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | |||||
| CVE-2025-65231 | 1 Barix | 2 Instreamer, Instreamer Firmware | 2026-06-17 | N/A | 6.1 MEDIUM |
| Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page. | |||||
| CVE-2025-65230 | 1 Barix | 2 Instreamer, Instreamer Firmware | 2026-06-17 | N/A | 5.4 MEDIUM |
| Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input. | |||||
| CVE-2025-65229 | 1 Lyrion | 1 Lyrion Music Server | 2026-06-17 | N/A | 4.6 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page. | |||||
| CVE-2025-65228 | 1 Rvr | 2 Tlk302t, Tlk302t Firmware | 2026-06-17 | N/A | 3.5 LOW |
| A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller (firmware 1.5.1799). | |||||
| CVE-2025-65215 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2026-06-17 | N/A | 6.1 MEDIUM |
| Sourcecodester Web-based Pharmacy Product Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /product_expiry/add-supplier.php via the Supplier Name field. | |||||
| CVE-2025-65187 | 1 Civicrm | 1 Civicrm | 2026-06-17 | N/A | 6.1 MEDIUM |
| A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed. | |||||
| CVE-2025-65186 | 1 Getgrav | 1 Grav | 2026-06-17 | N/A | 6.1 MEDIUM |
| Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface. | |||||
| CVE-2025-65136 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter. | |||||
| CVE-2025-65134 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| In manikandan580 School-management-system 1.0, a reflected cross-site scripting (XSS) vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter. | |||||
| CVE-2025-65132 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter. | |||||
| CVE-2025-65120 | 1 Groupsession | 1 Groupsession | 2026-06-17 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user. | |||||
| CVE-2025-65110 | 1 Vega Project | 1 Vega | 2026-06-17 | N/A | 8.1 HIGH |
| Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application’s domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.Patched versions are available in `vega-selections@6.1.2` (requires ESM) for Vega v6 and `vega-selections@5.6.3` (no ESM needed) for Vega v5. As a workaround, do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do. This is a development-only debugging practice that should not be used in any situation where Vega/Vega-lite definitions can come from untrusted parties. | |||||