Total
44520 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55522 | 1 Akaunting | 1 Akaunting | 2026-06-17 | N/A | 6.5 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter. | |||||
| CVE-2025-55474 | 1 Brufdev | 1 Many Notes | 2026-06-17 | N/A | 6.1 MEDIUM |
| Many Notes 0.10.1 is vulnerable to Cross Site Scripting (XSS), which allows malicious Markdown files to execute JavaScript when viewed. | |||||
| CVE-2025-55473 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| Asian Arts Talents Foundation (AATF) Website v5.1.x and Docker version 2024.12.8.1 are vulnerable to Cross Site Scripting (XSS). The vulnerability exists in the /ip.php endpoint, which processes and displays the X-Forwarded-For HTTP header without proper sanitization or output encoding. This allows an attacker to inject malicious JavaScript code that will execute in visitor browsers. | |||||
| CVE-2025-55422 | 1 Foxcms | 1 Foxcms | 2026-06-17 | N/A | 8.8 HIGH |
| In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus. | |||||
| CVE-2025-55420 | 1 Foxcms | 1 Foxcms | 2026-06-17 | N/A | 8.8 HIGH |
| A Reflected Cross Site Scripting (XSS) vulnerability was found in /index.php in FoxCMS v1.2.6. When a crafted script is sent via a GET request, it is reflected unsanitized into the HTML response. This permits execution of arbitrary JavaScript code when a logged-in user submits the malicious input. | |||||
| CVE-2025-55409 | 1 Foxcms | 1 Foxcms | 2026-06-17 | N/A | 8.8 HIGH |
| FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code. | |||||
| CVE-2025-55341 | 1 Quipux | 1 Quipux | 2026-06-17 | N/A | 6.5 MEDIUM |
| Cross Site Scripting vulnerability in Quipux 4.0.1 through e1774ac allows anexos/anexos_nuevo.php asocImgRad. | |||||
| CVE-2025-55321 | 1 Microsoft | 1 Azure Monitor | 2026-06-17 | N/A | 9.3 CRITICAL |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Monitor allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2025-55303 | 1 Astro | 1 Astro | 2026-06-17 | N/A | 6.1 MEDIUM |
| Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18. | |||||
| CVE-2025-55300 | 2026-06-17 | N/A | N/A | ||
| Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users. Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution. This vulnerability is fixed in 1.0.4-fix1. | |||||
| CVE-2025-55296 | 1 Librenms | 1 Librenms | 2026-06-17 | N/A | 5.5 MEDIUM |
| librenms is a community-based GPL-licensed network monitoring system. A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the template is rendered, potentially compromising other admin accounts. This vulnerability is fixed in 25.8.0. | |||||
| CVE-2025-55291 | 2026-06-17 | N/A | 7.1 HIGH | ||
| Shaarli is a minimalist bookmark manager and link sharing service. Prior to 0.15.0, the input string in the cloud tag page is not properly sanitized. This allows the </title> tag to be prematurely closed, leading to a reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability is fixed in 0.15.0. | |||||
| CVE-2025-55289 | 1 Chamilo | 1 Chamilo Lms | 2026-06-17 | N/A | 8.8 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltration of sensitive data, and potential self-propagation to other users. This issue has been patched in version 1.11.34. | |||||
| CVE-2025-55288 | 1 Kreaweb | 1 Genealogy | 2026-06-17 | N/A | 5.5 MEDIUM |
| Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0. | |||||
| CVE-2025-55287 | 1 Kreaweb | 1 Genealogy | 2026-06-17 | N/A | 5.4 MEDIUM |
| Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0. | |||||
| CVE-2025-55209 | 2026-06-17 | N/A | N/A | ||
| contactmanager is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions 15.0.14 and below, 16.0.0 through 16.0.26.4 and 17.0.0 through 17.0.5, a stored cross-site scripting (XSS) vulnerability in FreePBX allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, leading to session hijacking and potential privilege escalation. This issue is fixed in versions 15.0.14, 16.0.27 and 17.0.6. | |||||
| CVE-2025-55208 | 1 Chamilo | 1 Chamilo Lms | 2026-06-17 | N/A | 9.0 CRITICAL |
| Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue. | |||||
| CVE-2025-55204 | 1 Muffon | 1 Muffon | 2026-06-17 | N/A | 8.8 HIGH |
| muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue. | |||||
| CVE-2025-55203 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users’ browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application’s database. When another user views the affected content, the injected code executes in their browser, running in the application’s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0. | |||||
| CVE-2025-55200 | 1 Bigbluebutton | 1 Bigbluebutton | 2026-06-17 | N/A | 7.1 HIGH |
| BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue. | |||||