Total
44648 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64046 | 1 Openrapid | 1 Rapidcms | 2026-06-17 | N/A | 6.1 MEDIUM |
| OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /system/update-run.php. | |||||
| CVE-2025-64030 | 1 Chinasystems | 1 Eximbills Enterprise | 2026-06-17 | N/A | 5.4 MEDIUM |
| Eximbills Enterprise 4.1.5 (Built on 2020-10-30) is vulnerable to authenticated stored cross-site scripting (CWE-79) via the /EximBillWeb/servlets/WSTrxManager endpoint. Unsanitized user input in the TMPL_INFO parameter is stored server-side and rendered to other users, enabling arbitrary JavaScript execution in their browsers. | |||||
| CVE-2025-64027 | 1 Snipeitapp | 1 Snipe-it | 2026-06-17 | N/A | 6.1 MEDIUM |
| Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. NOTE: this is disputed by the Supplier because the report only demonstrates that an authenticated user can choose to conduct a man-in-the-middle attack against himself. | |||||
| CVE-2025-63949 | 1 Yohanawi | 1 Hotel Management System | 2026-06-17 | N/A | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php. | |||||
| CVE-2025-63947 | 1 Craigtaub | 1 Phpmsadmin | 2026-06-17 | N/A | 5.4 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary web script or HTML via the dbname parameter after a user is authenticated. | |||||
| CVE-2025-63892 | 1 Remyandrade | 1 Student Grades Management System | 2026-06-17 | N/A | 6.8 MEDIUM |
| A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function create_classroom of the file /classroom.php of the component My Classrooms Management Page. This manipulation of the argument name/description causes stored cross site scripting. | |||||
| CVE-2025-63885 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| A stored cross-site scripting (XSS) vulnerability in AIxBlock commit 04f305 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the model_desc field. | |||||
| CVE-2025-63883 | 1 Bhabishya-123 | 1 E-commerce | 2026-06-17 | N/A | 5.4 MEDIUM |
| A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 (Bhabishya-123/E-commerce). The site's client-side JavaScript reads attacker-controlled input (for example, values derived from the URL or page fragment) and inserts it into the DOM via unsafe sinks (innerHTML/insertAdjacentHTML/document.write) without proper sanitization or context-aware encoding. An attacker can craft a malicious URL that, when opened by a victim, causes arbitrary JavaScript to execute in the victim's browser under the electic-shop origin. | |||||
| CVE-2025-63879 | 1 Learnwithfair | 1 Php-ecommerce-project | 2026-06-17 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripted (XSS) vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the id parameter. | |||||
| CVE-2025-63872 | 1 Deepseek | 1 Deepseek | 2026-06-17 | N/A | 6.1 MEDIUM |
| DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, which allows JavaScript execution through model-generated SVG content. | |||||
| CVE-2025-63848 | 1 Swi-prolog | 1 Swish | 2026-06-17 | N/A | 6.1 MEDIUM |
| Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook. | |||||
| CVE-2025-63834 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2026-06-17 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the ssid parameter of the wireless settings. Remote attackers can inject malicious payloads that execute when any user visits the router's homepage. | |||||
| CVE-2025-63830 | 1 Cksource | 1 Ckfinder | 2026-06-17 | N/A | 6.1 MEDIUM |
| CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function. An attacker can upload a crafted SVG containing active content. | |||||
| CVE-2025-63785 | 1 Onlook | 1 Onlook | 2026-06-17 | N/A | 6.1 MEDIUM |
| A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An attacker can exploit this to inject malicious HTML and script code, which is then executed within the context of the preview iframe, allowing for the execution of arbitrary scripts in the user's session. | |||||
| CVE-2025-63743 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2. | |||||
| CVE-2025-63737 | 1 Rockoa | 1 Rockoa | 2026-06-17 | N/A | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in function urltestAction in file cliAction.php in Xinhu Rainrock RockOA 2.7.0 allows remote attackers to inject arbitrary web script or HTML via the m parameter to the task.php endpoint. | |||||
| CVE-2025-63735 | 1 Ruckuswireless | 1 Ruckus Unleashed | 2026-06-17 | N/A | 6.1 MEDIUM |
| A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp. | |||||
| CVE-2025-63725 | 1 Radioinorr | 1 Svx Portal | 2026-06-17 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in SVX Portal 2.7A via the id parameter to Recivers.php. | |||||
| CVE-2025-63714 | 1 Remyandrade | 1 Modern User Account Generator | 2026-06-17 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in SourceCodester User Account Generator 1.0 allows remote attackers to execute arbitrary JavaScript code in the context of the user's browser session via crafted input in the Username Prefix field. The vulnerability exists due to improper sanitization of user-supplied input when rendering generated account data to the DOM, allowing persistent injection of malicious HTML elements that execute when clicked by users. | |||||
| CVE-2025-63713 | 1 Remyandrade | 1 Matching Type Test | 2026-06-17 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in SourceCodester "MatchMaster" 1.0 allows remote attackers to inject arbitrary web script or HTML via crafted input in the custom test creation feature. The vulnerability exists because the application fails to properly sanitize user-supplied input in test titles and matching pair items before rendering them in the DOM during test execution. | |||||