Total
44525 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-59539 | 1 Dnnsoftware | 1 Dotnetnuke | 2026-06-17 | N/A | 6.3 MEDIUM |
| DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, when embedding information in the Biography field, even if that field is not rich-text, users could inject javascript code that would run in the context of the website and to any other user that can view the profile including administrators and/or superusers. This issue has been patched in version 10.1.0. | |||||
| CVE-2025-59526 | 2026-06-17 | N/A | N/A | ||
| mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Prior to version 2.0.30, there is an HTML injection vulnerability in plaintext e-mails generated by Mailgen. Projects are affected if the Mailgen.generatePlaintext(email) method is used and given user-generated content. This vulnerability has been patched in version 2.0.30. A workaround involves stripping all HTML tags before passing any content into Mailgen.generatePlaintext(email). | |||||
| CVE-2025-59525 | 1 Horilla | 1 Horilla | 2026-06-17 | N/A | 6.1 MEDIUM |
| Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0. | |||||
| CVE-2025-59524 | 1 Horilla | 1 Horilla | 2026-06-17 | N/A | 6.1 MEDIUM |
| Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, the file upload flow performs validation only in the browser and does not enforce server-side checks. An attacker can bypass the client-side validation (for example, with an intercepting proxy or by submitting a crafted request) to store an executable HTML document on the server. When an administrator or other privileged user views the uploaded file, the embedded script runs in their context and sends session cookies (or other credentials) to an attacker-controlled endpoint. The attacker then reuses those credentials to impersonate the admin. This issue has been patched in version 1.4.0. | |||||
| CVE-2025-59491 | 1 Centralsquare | 1 Community Development | 2026-06-17 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields. | |||||
| CVE-2025-59467 | 1 Ui | 1 Argentina Afip Invoices | 2026-06-17 | N/A | 7.5 HIGH |
| A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. Affected Products: UCRM Argentina AFIP invoices Plugin (Version 1.2.0 and earlier) Mitigation: Update UCRM Argentina AFIP invoices Plugin to Version 1.3.0 or later. | |||||
| CVE-2025-59430 | 2026-06-17 | N/A | 8.2 HIGH | ||
| Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically indistinguishable from a real page at the rendering level and allows access to the parent page DOM, storage, session, and cookies. If the attacker can specify customIframeId, they can hijack the source of existing iframes. This issue has been patched in version 3.3.2. | |||||
| CVE-2025-59429 | 1 Sangoma | 1 Freepbx | 2026-06-17 | N/A | 5.4 MEDIUM |
| FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16 and versions prior to 17.0.18.38 for FreePBX 17, a reflected cross-site scripting vulnerability is present on the Asterisk HTTP Status page. The Asterisk HTTP status page is exposed by FreePBX and is available by default on version 16 via any bound IP address at port 8088. By default on version 17, the binding is only to localhost IP, making it significantly less vulnerable. The vulnerability can be exploited by unauthenticated attackers to obtain cookies from logged-in users, allowing them to hijack a session of an administrative user. The theft of admin session cookies allows attackers to gain control over the FreePBX admin interface, enabling them to access sensitive data, modify system configurations, create backdoor accounts, and cause service disruption. This issue has been patched in version 16.0.68.39 for FreePBX 16 and version 17.0.18.38 for FreePBX 17. | |||||
| CVE-2025-59428 | 1 Espocrm | 1 Espocrm | 2026-06-17 | N/A | 5.4 MEDIUM |
| EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials, an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9. | |||||
| CVE-2025-59424 | 1 Linkace | 1 Linkace | 2026-06-17 | N/A | 7.3 HIGH |
| LinkAce is a self-hosted archive to collect website links. Prior to 2.3.1, a Stored Cross-Site Scripting (XSS) vulnerability has been identified on the /system/audit page. The application fails to properly sanitize the username field before it is rendered in the audit log. An authenticated attacker can set a malicious JavaScript payload as their username. When an action performed by this user is recorded (e.g., generate or revoke an API token), the payload is stored in the database. The script is then executed in the browser of any user, particularly administrators, who views the /system/audit page. This vulnerability is fixed in 2.3.1. | |||||
| CVE-2025-59417 | 1 Lobehub | 1 Lobe Chat | 2026-06-17 | N/A | 6.1 MEDIUM |
| Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.129.4, there is a a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. In lobe-chat, when the response from the server is like <lobeArtifact identifier="ai-new-interpretation" ...> , it will be rendered with the lobeArtifact node, instead of the plain text. However, when the type of the lobeArtifact is image/svg+xml , it will be rendered as the SVGRender component, which internally uses dangerouslySetInnerHTML to set the content of the svg, resulting in XSS attack. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a compromised MCP server, or leveraging tool integrations, can exploit this vulnerability. This vulnerability is fixed in 1.129.4. | |||||
| CVE-2025-59415 | 1 Frappe | 1 Learning | 2026-06-17 | N/A | 4.6 MEDIUM |
| Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. | |||||
| CVE-2025-59412 | 1 Cubecart | 1 Cubecart | 2026-06-17 | N/A | 5.4 MEDIUM |
| CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the administrator approves the review, the injected HTML is rendered on the product page for all visitors. This could be used to redirect users to malicious websites or to display unwanted content. This issue has been patched in version 6.5.11. | |||||
| CVE-2025-59411 | 1 Cubecart | 1 Cubecart | 2026-06-17 | N/A | 5.4 MEDIUM |
| CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11. | |||||
| CVE-2025-59332 | 2026-06-17 | N/A | 8.6 HIGH | ||
| 3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not sanitized, which means that arbitrary JavaScript can be inserted and executed. | |||||
| CVE-2025-59269 | 1 F5 | 21 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 18 more | 2026-06-17 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-59158 | 1 Coollabs | 1 Coolify | 2026-06-17 | N/A | 8.0 HIGH |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later attempts to delete the project or its associated resource, the payload automatically executes in the admin’s browser context. Version 4.0.0-beta.420.7 contains a patch for the issue. | |||||
| CVE-2025-59135 | 2026-06-17 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5. | |||||
| CVE-2025-59117 | 1 Windu | 1 Windu Cms | 2026-06-17 | N/A | 4.8 MEDIUM |
| Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | |||||
| CVE-2025-59115 | 1 Windu | 1 Windu Cms | 2026-06-17 | N/A | 5.4 MEDIUM |
| Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | |||||