Total
35351 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46238 | 1 Rolandbaer | 1 List Last Changes | 2025-04-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer List Last Changes allows Stored XSS. This issue affects List Last Changes: from n/a through 1.2.1. | |||||
| CVE-2025-46250 | 1 Vikasratudi | 1 Lifetime Free Drag \& Drop Contact Form Builder | 2025-04-30 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VForm allows Stored XSS. This issue affects VForm: from n/a through 3.1.14. | |||||
| CVE-2022-45380 | 1 Jenkins | 1 Junit | 2025-04-30 | N/A | 5.4 MEDIUM |
| Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-43694 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | N/A | 6.1 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | |||||
| CVE-2022-42954 | 1 Keyfactor | 1 Kefactor Ejbca | 2025-04-30 | N/A | 5.4 MEDIUM |
| Keyfactor EJBCA before 7.10.0 allows XSS. | |||||
| CVE-2022-42119 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-04-30 | N/A | 5.4 MEDIUM |
| Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8. | |||||
| CVE-2022-42118 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-04-30 | N/A | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter. | |||||
| CVE-2022-40846 | 1 Tenda | 2 Ac1200 V-w15ev2, W15e Firmware | 2025-04-30 | N/A | 4.8 MEDIUM |
| In Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576), a Stored Cross Site Scripting (XSS) vulnerability exists allowing an attacker to execute JavaScript code via the applications stored hostname. | |||||
| CVE-2022-36432 | 1 Amasty | 1 Blog Pro | 2025-04-30 | N/A | 5.4 MEDIUM |
| The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response. | |||||
| CVE-2025-46253 | 1 Wpmet | 1 Gutenkit | 2025-04-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit allows Stored XSS. This issue affects GutenKit: from n/a through 2.2.2. | |||||
| CVE-2025-46254 | 1 Visualcomposer | 1 Visual Composer Website Builder | 2025-04-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder allows Stored XSS. This issue affects Visual Composer Website Builder: from n/a through 45.10.0. | |||||
| CVE-2022-45382 | 1 Jenkins | 1 Naginator | 2025-04-30 | N/A | 5.4 MEDIUM |
| Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names. | |||||
| CVE-2025-3457 | 1 Oceanwp | 1 Ocean Extra | 2025-04-30 | N/A | 6.4 MEDIUM |
| The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-3458 | 1 Oceanwp | 1 Ocean Extra | 2025-04-30 | N/A | 6.4 MEDIUM |
| The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerability. | |||||
| CVE-2025-25431 | 1 Trendnet | 2 Tew-929dru, Tew-929dru Firmware | 2025-04-30 | N/A | 4.8 MEDIUM |
| Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the The ssid key of wifi_data parameter on the /captive_portal.htm page. | |||||
| CVE-2025-0671 | 1 Icegram | 1 Icegram Express | 2025-04-29 | N/A | 6.1 MEDIUM |
| The Icegram Express WordPress plugin before 5.7.50 does not sanitise and escape some of its Template settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-42187 | 1 Hustoj | 1 Hustoj | 2025-04-29 | N/A | 6.1 MEDIUM |
| Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php. | |||||
| CVE-2022-41558 | 1 Tibco | 4 Spotfire Analyst, Spotfire Analytics Platform, Spotfire Desktop and 1 more | 2025-04-29 | N/A | 9.0 CRITICAL |
| The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analyst, TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, TIBCO Spotfire Desktop, TIBCO Spotfire Desktop, TIBCO Spotfire Server, TIBCO Spotfire Server, and TIBCO Spotfire Server contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 11.4.4 and below, TIBCO Spotfire Analyst: versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, and 12.0.1, TIBCO Spotfire Analyst: version 12.1.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 12.1.0 and below, TIBCO Spotfire Desktop: versions 11.4.4 and below, TIBCO Spotfire Desktop: versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, and 12.0.1, TIBCO Spotfire Desktop: version 12.1.0, TIBCO Spotfire Server: versions 11.4.8 and below, TIBCO Spotfire Server: versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.7.0, 11.8.0, 11.8.1, 12.0.0, and 12.0.1, and TIBCO Spotfire Server: version 12.1.0. | |||||
| CVE-2022-39834 | 1 Keyfactor | 1 Primekey Ejbca | 2025-04-29 | N/A | 5.4 MEDIUM |
| A stored XSS vulnerability was discovered in adminweb/ra/viewendentity.jsp in PrimeKey EJBCA through 7.9.0.2. A low-privilege user can store JavaScript in order to exploit a higher-privilege user. | |||||
| CVE-2024-9771 | 1 Plechevandrey | 1 Wp-recall | 2025-04-29 | N/A | 3.5 LOW |
| The WP-Recall WordPress plugin before 16.26.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||