Total
40271 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000139 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user. | |||||
| CVE-2012-3842 | 1 Directadmin | 1 Directadmin | 2025-12-05 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CMD_DOMAIN in JBMC Software DirectAdmin 1.403 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) select0 or (2) select8 parameters. | |||||
| CVE-2024-8964 | 1 Sirv | 1 Sirv | 2025-12-05 | N/A | 6.4 MEDIUM |
| The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2025-65215 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-12-05 | N/A | 6.1 MEDIUM |
| Sourcecodester Web-based Pharmacy Product Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /product_expiry/add-supplier.php via the Supplier Name field. | |||||
| CVE-2025-65881 | 1 Oretnom23 | 1 Zoo Management System | 2025-12-05 | N/A | 6.1 MEDIUM |
| Sourcecodester Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /classes/Login.php. | |||||
| CVE-2025-65267 | 1 Frappe | 2 Erpnext, Frappe | 2025-12-05 | N/A | 9.0 CRITICAL |
| In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance. | |||||
| CVE-2025-20385 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-12-05 | N/A | 2.4 LOW |
| In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user. | |||||
| CVE-2024-25599 | 1 Castos | 1 Seriously Simple Podcasting | 2025-12-05 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Castos Seriously Simple Podcasting allows Reflected XSS.This issue affects Seriously Simple Podcasting: from n/a through 3.0.2. | |||||
| CVE-2023-49272 | 1 Jayesh | 1 Hotel Management System | 2025-12-05 | N/A | 5.4 MEDIUM |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'children' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | |||||
| CVE-2025-66222 | 1 Thinkinai | 1 Deepchat | 2025-12-05 | N/A | 9.6 CRITICAL |
| DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server. | |||||
| CVE-2025-61949 | 3 Linux, Microsoft, Secuavail | 3 Linux Kernel, Windows, Logstare Collector | 2025-12-05 | N/A | 5.4 MEDIUM |
| LogStare Collector contains a stored cross-site scripting vulnerability in UserManagement. If crafted user information is stored, an arbitrary script may be executed on the web browser of the user who logs in to the product's management page. | |||||
| CVE-2025-14005 | 1 Xunruicms | 1 Xunruicms | 2025-12-05 | 3.3 LOW | 2.4 LOW |
| A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. Affected by this vulnerability is an unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0 of the component Add Display Name Field. Executing manipulation of the argument data[name] can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-14006 | 1 Xunruicms | 1 Xunruicms | 2025-12-05 | 4.0 MEDIUM | 3.5 LOW |
| A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument data[name] leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-14007 | 1 Xunruicms | 1 Xunruicms | 2025-12-05 | 1.7 LOW | 2.0 LOW |
| A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from remote. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-66458 | 1 Lookyloo | 1 Lookyloo | 2025-12-05 | N/A | 6.1 MEDIUM |
| Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, there are multiple XSS due to unsafe use of f-strings in Markup. The issue requires a malicious 3rd party server responding with a JSON document containing JS code in a script element. This vulnerability is fixed in 1.35.3. | |||||
| CVE-2025-66459 | 1 Lookyloo | 1 Lookyloo | 2025-12-05 | N/A | 6.1 MEDIUM |
| Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3. | |||||
| CVE-2025-66460 | 1 Lookyloo | 1 Lookyloo | 2025-12-05 | N/A | 6.1 MEDIUM |
| Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3. | |||||
| CVE-2025-12848 | 1 Webform Multiple File Upload Project | 1 Webform Multiple File Upload | 2025-12-05 | N/A | 6.1 MEDIUM |
| Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module. | |||||
| CVE-2025-65675 | 1 Classroomio | 1 Classroomio | 2025-12-05 | N/A | 5.4 MEDIUM |
| Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures. | |||||
| CVE-2025-59117 | 1 Windu | 1 Windu Cms | 2025-12-05 | N/A | 4.8 MEDIUM |
| Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | |||||