Total
44637 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62459 | 1 Microsoft | 1 365 Defender Portal | 2026-06-17 | N/A | 8.3 HIGH |
| Microsoft Defender Portal Spoofing Vulnerability | |||||
| CVE-2025-62430 | 1 Oxygenz | 1 Clipbucket | 2026-06-17 | N/A | 5.4 MEDIUM |
| ClipBucket v5 is an open source video sharing platform. ClipBucket v5 through build 5.5.2 #145 allows stored cross-site scripting (XSS) in multiple video and photo metadata fields. For videos the Tags field and the Genre, Actors, Producer, Executive Producer, and Director fields in Movieinfos accept user supplied values without adequate sanitization. For photos the Photo Title and Photo Tags fields accept user supplied values without adequate sanitization. A regular user who can edit a video or photo can inject script (for example by supplying a value such as a closing delimiter followed by a script element). The injected script executes when any user, including an unauthenticated visitor or an administrator, views the affected video or photo page. Although cookies are set with the HttpOnly attribute and cannot be read directly, the injected script can issue fetch requests to endpoints such as admin_area pages and exfiltrate their contents or trigger unintended actions. Version 5.5.2 build #146 and later contain a fix. Update to build 5.5.2 #146 or later. No known workarounds exist. | |||||
| CVE-2025-62421 | 1 Dataease | 1 Dataease | 2026-06-17 | N/A | 5.4 MEDIUM |
| DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/{fileId} that uses a URL path parameter where both the filename and extension of uploaded files are controllable by users. During permission validation, the TokenFilter invokes the WhitelistUtils#match method to determine if the URL path is in the allowlist. If the requestURI ends with .js or similar extensions, it is directly deemed safe and bypasses permission checks. This allows an attacker to access "upload/1.js" while specifying arbitrary file extensions, enabling the upload of HTML files containing malicious JavaScript. The vulnerability is fixed in version 2.10.14. No known workarounds exist. | |||||
| CVE-2025-62418 | 1 Webkul | 1 Bagisto | 2026-06-17 | N/A | 6.9 MEDIUM |
| Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8. | |||||
| CVE-2025-62414 | 1 Webkul | 1 Bagisto | 2026-06-17 | N/A | 6.9 MEDIUM |
| Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin’s browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8. | |||||
| CVE-2025-62413 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| MQTTX is an MQTT 5.0 desktop client and MQTT testing tool. A Cross-Site Scripting (XSS) vulnerability was introduced in MQTTX v1.12.0 due to improper handling of MQTT message payload rendering. Malicious payloads containing HTML or JavaScript could be rendered directly in the MQTTX message viewer. If exploited, this could allow attackers to execute arbitrary scripts in the context of the application UI — for example, attempting to access MQTT connection credentials or trigger unintended actions through script injection. This vulnerability is especially relevant when MQTTX is used with brokers in untrusted or multi-tenant environments, where message content cannot be fully controlled. This vulnerability is fixed in 1.12.1. | |||||
| CVE-2025-62412 | 1 Librenms | 1 Librenms | 2026-06-17 | N/A | 3.8 LOW |
| LibreNMS is a community-based GPL-licensed network monitoring system. The alert rule name in the Alerts > Alert Rules page is not properly sanitized, and can be used to inject HTML code. This vulnerability is fixed in 25.10.0. | |||||
| CVE-2025-62411 | 1 Librenms | 1 Librenms | 2026-06-17 | N/A | 5.5 MEDIUM |
| LibreNMS is a community-based GPL-licensed network monitoring system. LibreNMS <= 25.8.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the Transport name field is stored and later rendered in the Transports column of the Alert Rules page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser. This vulnerability is fixed in 25.10.0. | |||||
| CVE-2025-62380 | 2026-06-17 | N/A | N/A | ||
| mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with the generatePlaintext method when user generated content is supplied. The plaintext generation code attempts to strip HTML tags using a regular expression and then decodes HTML entities, but tags that include certain Unicode line separator characters are not matched and removed. These encoded tags are later decoded into valid HTML content, allowing unexpected HTML to remain in output intended to be plaintext. Projects are affected if they call Mailgen.generatePlaintext with untrusted input and then render or otherwise process the returned string in a context where HTML is interpreted. This can lead to execution of attacker supplied script in the victim’s browser. Version 2.0.32 fixes the issue. | |||||
| CVE-2025-62366 | 2026-06-17 | N/A | N/A | ||
| mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.30 contain an HTML injection vulnerability in plaintext emails produced by the generatePlaintext method when user‑generated content is supplied. The function attempts to remove HTML tags, but if tags are provided as encoded HTML entities they are not removed and are later decoded, resulting in active HTML (for example an img tag with an event handler) in the supposed plaintext output. In contexts where the generated plaintext string is subsequently rendered as HTML, this can allow execution of attacker‑controlled JavaScript. Versions 2.0.31 and later contain a fix. No known workarounds exist. | |||||
| CVE-2025-62365 | 1 Librenms | 1 Librenms | 2026-06-17 | N/A | 6.1 MEDIUM |
| LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to 25.7.0, there is a reflected-XSS in `report_this` function in `librenms/includes/functions.php`. The `report_this` function had improper filtering (`htmlentities` function was incorrectly use in a href environment), which caused the `project_issues` parameter to trigger an XSS vulnerability. This vulnerability is fixed in 25.7.0. | |||||
| CVE-2025-62359 | 1 Wegia | 1 Wegia | 2026-06-17 | N/A | 6.1 MEDIUM |
| WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /pet/profile_pet.php?id_pet= endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_pet parameter. This vulnerability is fixed in 3.5.0. | |||||
| CVE-2025-62358 | 1 Wegia | 1 Wegia | 2026-06-17 | N/A | 5.4 MEDIUM |
| WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, the log parameter in configuracao_geral.php is vulnerable to Reflected Cross-Site Scripting (XSS). An attacker can inject arbitrary JavaScript, which executes in the victim’s browser. This vulnerability is fixed in 3.5.1. | |||||
| CVE-2025-62326 | 1 Hcltech | 1 Digital Experience | 2026-06-17 | N/A | 6.1 MEDIUM |
| HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit. | |||||
| CVE-2025-62320 | 1 Hcltech | 9 Unica, Unica Audience Central, Unica Campaign and 6 more | 2026-06-17 | N/A | 4.7 MEDIUM |
| HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user’s browser. | |||||
| CVE-2025-62297 | 1 Soplanning | 1 Soplanning | 2026-06-17 | N/A | 5.4 MEDIUM |
| SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55. | |||||
| CVE-2025-62296 | 1 Soplanning | 1 Soplanning | 2026-06-17 | N/A | 5.4 MEDIUM |
| SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | |||||
| CVE-2025-62295 | 1 Soplanning | 1 Soplanning | 2026-06-17 | N/A | 5.4 MEDIUM |
| SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | |||||
| CVE-2025-62267 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-06-17 | N/A | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field. | |||||
| CVE-2025-62265 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-06-17 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's “Content” text field The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page. | |||||