Total
44646 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63450 | 1 Car-booking-system-php Project | 1 Car-booking-system-php | 2026-06-17 | N/A | 5.4 MEDIUM |
| Car-Booking-System-PHP v.1.0 is vulnerable to Cross Site Scripting (XSS) in /carlux/booking.php. | |||||
| CVE-2025-63449 | 1 Water Management System Project | 1 Water Management System | 2026-06-17 | N/A | 5.4 MEDIUM |
| Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /orders.php. | |||||
| CVE-2025-63448 | 1 Water Management System Project | 1 Water Management System | 2026-06-17 | N/A | 6.1 MEDIUM |
| Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /edit_product.php?id=1. | |||||
| CVE-2025-63447 | 1 Water Management System Project | 1 Water Management System | 2026-06-17 | N/A | 6.1 MEDIUM |
| Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /add_customer.php. | |||||
| CVE-2025-63446 | 1 Water Management System Project | 1 Water Management System | 2026-06-17 | N/A | 6.1 MEDIUM |
| Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /add_vendor.php. | |||||
| CVE-2025-63443 | 1 School Management System Php Project | 1 School Management System Php | 2026-06-17 | N/A | 5.4 MEDIUM |
| School Management System PHP v1.0 is vulnerable to Cross Site Scripting (XSS) in /login.php via the password parameter. | |||||
| CVE-2025-63442 | 1 Nababur | 1 Simple-user-management-system | 2026-06-17 | N/A | 4.6 MEDIUM |
| Simple User Management System with PHP-MySQL v1.0 is vulnerable to Cross-Site Scripting (XSS) via the Profile Section. The system fails to properly sanitize user input, allowing attackers to inject and execute arbitrary JavaScript when the input is displayed in the browser | |||||
| CVE-2025-63441 | 1 Opensource-socialnetwork | 1 Open Source Social Network | 2026-06-17 | N/A | 7.3 HIGH |
| Open Source Social Network (OSSN) 8.6 is vulnerable to Cross Site Scripting (XSS) via the parameter param` at endpoint u/administrator/friends. | |||||
| CVE-2025-63420 | 1 Crushftp | 1 Crushftp | 2026-06-17 | N/A | 4.1 MEDIUM |
| CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions. | |||||
| CVE-2025-63419 | 1 Crushftp | 1 Crushftp | 2026-06-17 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection. | |||||
| CVE-2025-63418 | 1 Selfbest | 1 Selfbest | 2026-06-17 | N/A | 6.1 MEDIUM |
| A DOM-based Cross-Site Scripting (XSS) vulnerability in the SelfBest platform 2023.3 allows attackers to execute arbitrary JavaScript in the context of a logged-in user's session by injecting payloads via the browser's developer console. The vulnerability arises from the application's client-side code being susceptible to direct DOM manipulation without adequate sanitization or a Content Security Policy (CSP), potentially leading to account takeover and data theft. | |||||
| CVE-2025-63417 | 1 Selfbest | 1 Selfbest | 2026-06-17 | N/A | 7.2 HIGH |
| A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated attackers to inject arbitrary web scripts or HTML via the chat message input field. This malicious content is stored and then executed in the context of other users' browsers when they view the malicious message, potentially leading to session hijacking, account takeover, or other client-side attacks. | |||||
| CVE-2025-63416 | 1 Selfbest | 1 Selfbest | 2026-06-17 | N/A | 9.1 CRITICAL |
| ** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute arbitrary JavaScript in the context of other users' sessions. This can be exploited to access administrative data and functions, leading to privilege escalation and full compromise of sensitive user data, as demonstrated by the ability to fetch and exfiltrate the contents of the /admin/users endpoint. | |||||
| CVE-2025-63401 | 1 Hcltech | 1 Dragon | 2026-06-17 | N/A | 5.5 MEDIUM |
| Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives | |||||
| CVE-2025-63354 | 1 Hitrontech | 2 Hi3120, Hi3120 Firmware | 2026-06-17 | N/A | 4.8 MEDIUM |
| Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option when creating a new filter. The device fails to properly handle inputs, allowing an attacker to inject and execute JavaScript. | |||||
| CVE-2025-63317 | 1 Doist | 1 Todoist | 2026-06-17 | N/A | 5.4 MEDIUM |
| Todoist v8896 is vulnerable to Cross Site Scripting (XSS) in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a task/comment. | |||||
| CVE-2025-63307 | 1 Alexusmai | 1 Laravel File Manager | 2026-06-17 | N/A | 8.1 HIGH |
| alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization. | |||||
| CVE-2025-63260 | 1 Syncfusion | 1 Syncfusion | 2026-06-17 | N/A | 5.4 MEDIUM |
| SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message. | |||||
| CVE-2025-63243 | 1 Pixeon | 1 Weblaudos | 2026-06-17 | N/A | 4.6 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 (01). The sle_sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be executed in the victim's browser within the security context of the vulnerable application. This issue could allow attackers to steal session cookies, disclose sensitive information, perform unauthorized actions on behalf of the user, or conduct phishing attacks. | |||||
| CVE-2025-63238 | 1 Limesurvey | 1 Limesurvey | 2026-06-17 | N/A | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user. | |||||