Total
40271 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-59115 | 1 Windu | 1 Windu Cms | 2025-12-05 | N/A | 5.4 MEDIUM |
| Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | |||||
| CVE-2025-49923 | 1 Castos | 1 Seriously Simple Podcasting | 2025-12-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows DOM-Based XSS.This issue affects Seriously Simple Podcasting: from n/a through <= 3.11.1. | |||||
| CVE-2025-10552 | 1 3ds | 1 3dswymer | 2025-12-04 | N/A | 8.7 HIGH |
| A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | |||||
| CVE-2025-10558 | 1 3ds | 1 3dswymer | 2025-12-04 | N/A | 8.7 HIGH |
| A stored Cross-site Scripting (XSS) vulnerability affecting 3DSearch in 3DSwymer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | |||||
| CVE-2025-20351 | 1 Cisco | 34 Desk Phone 9841, Desk Phone 9841 Firmware, Desk Phone 9851 and 31 more | 2025-12-04 | N/A | 6.1 MEDIUM |
| A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 running Cisco SIP Software could allow an unauthenticated, remote attacker to conduct XSS attacks against a user of the web UI. This vulnerability exists because the web UI of an affected device does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, the phone must be registered to Cisco Unified Communications Manager and have Web Access enabled. Web Access is disabled by default. | |||||
| CVE-2025-65621 | 1 Snipeitapp | 1 Snipe-it | 2025-12-04 | N/A | 5.4 MEDIUM |
| Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. | |||||
| CVE-2025-63317 | 1 Doist | 1 Todoist | 2025-12-04 | N/A | 5.4 MEDIUM |
| Todoist v8896 is vulnerable to Cross Site Scripting (XSS) in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a task/comment. | |||||
| CVE-2025-63533 | 1 Shridharshukl | 1 Blood Bank Management System | 2025-12-04 | N/A | 8.5 HIGH |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and rprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the rname, remail, rpassword, rphone, rcity parameters, which are then executed in the victim's browser when the page is viewed. | |||||
| CVE-2025-13873 | 1 Objectplanet | 1 Opinio | 2025-12-04 | N/A | 5.4 MEDIUM |
| Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey. | |||||
| CVE-2025-66468 | 2025-12-04 | N/A | 7.6 HIGH | ||
| The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8. | |||||
| CVE-2025-13401 | 2025-12-04 | N/A | 6.4 MEDIUM | ||
| The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13448 | 2025-12-04 | N/A | 6.4 MEDIUM | ||
| The CSSIgniter Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' shortcode attribute in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-65027 | 2025-12-04 | N/A | 7.6 HIGH | ||
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | |||||
| CVE-2025-13513 | 2025-12-04 | N/A | 6.1 MEDIUM | ||
| The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-11727 | 2025-12-04 | N/A | 7.2 HIGH | ||
| The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sync() function in all versions up to, and including, 1.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2017-1303 | 1 Ibm | 1 Websphere Portal | 2025-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM WebSphere Portal and Web Content Manager 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125457. | |||||
| CVE-2025-63534 | 1 Shridharshukl | 1 Blood Bank Management System | 2025-12-03 | N/A | 8.5 HIGH |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the login.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg and error parameters, which are then executed in the victim's browser when the page is viewed. | |||||
| CVE-2025-66308 | 1 Getgrav | 1 Grav-plugin-admin | 2025-12-03 | N/A | 5.4 MEDIUM |
| This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector. This vulnerability is fixed in 1.11.0-beta.1. | |||||
| CVE-2025-66309 | 1 Getgrav | 1 Grav-plugin-admin | 2025-12-03 | N/A | 6.1 MEDIUM |
| This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter. This vulnerability is fixed in 1.11.0-beta.1. | |||||
| CVE-2025-66310 | 1 Getgrav | 1 Grav-plugin-admin | 2025-12-03 | N/A | 5.4 MEDIUM |
| This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][template] parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view. This vulnerability is fixed in 1.11.0-beta.1. | |||||