Total
40278 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-65622 | 1 Snipeitapp | 1 Snipe-it | 2025-12-03 | N/A | 5.4 MEDIUM |
| Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | |||||
| CVE-2025-65961 | 1 Contao | 1 Contao | 2025-12-03 | N/A | 3.3 LOW |
| Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually. | |||||
| CVE-2025-64049 | 1 Redaxo | 1 Redaxo | 2025-12-03 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module. | |||||
| CVE-2025-66258 | 1 Dbbroadcast | 44 Mozart Dds Next 100, Mozart Dds Next 1000, Mozart Dds Next 1000 Firmware and 41 more | 2025-12-03 | N/A | 5.4 MEDIUM |
| Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file. | |||||
| CVE-2025-21621 | 1 Geoserver | 1 Geoserver | 2025-12-03 | N/A | 6.1 MEDIUM |
| GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0. | |||||
| CVE-2025-65237 | 2025-12-03 | N/A | 6.1 MEDIUM | ||
| A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload. | |||||
| CVE-2025-66026 | 1 Redaxo | 1 Redaxo | 2025-12-03 | N/A | 6.1 MEDIUM |
| REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1. | |||||
| CVE-2024-43184 | 1 Ibm | 1 Jazz Foundation | 2025-12-02 | N/A | 6.1 MEDIUM |
| IBM Jazz Foundation 7.0.2 through 7.0.2 iFix033, 7.0.3 through 7.0.3 iFix012, and 7.1.0 through 7.1.0 iFix002 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2025-51734 | 1 Hcltech | 1 Unica | 2025-12-02 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | |||||
| CVE-2025-52667 | 1 Revive-adserver | 1 Revive Adserver | 2025-12-02 | N/A | 5.4 MEDIUM |
| Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user. | |||||
| CVE-2025-52668 | 1 Revive-adserver | 1 Revive Adserver | 2025-12-02 | N/A | 5.4 MEDIUM |
| Improper input neutralization in the stats-conversions.php script in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes potential information disclosure and session hijacking via a stored XSS attack. | |||||
| CVE-2025-65187 | 2025-12-02 | N/A | 6.1 MEDIUM | ||
| A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed. | |||||
| CVE-2025-63872 | 2025-12-02 | N/A | 6.1 MEDIUM | ||
| DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, which allows JavaScript execution through model-generated SVG content. | |||||
| CVE-2025-56526 | 1 Cinnamon | 1 Kotaemon | 2025-12-02 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF. | |||||
| CVE-2025-13731 | 2025-12-02 | N/A | 6.4 MEDIUM | ||
| The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nxt-year' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13387 | 2025-12-02 | N/A | 7.2 HIGH | ||
| The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13835 | 2025-12-02 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.19. | |||||
| CVE-2025-65858 | 2025-12-02 | N/A | 3.5 LOW | ||
| A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed. | |||||
| CVE-2025-40700 | 2025-12-02 | N/A | N/A | ||
| Reflected Cross-Site Scripting (XSS) in IDI Eikon's Governalia. The vulnerability allows an attacker to execute JavaScript code in the victim's browser when a malicious URL with the 'q' parameter in '/search' is sent to them. This vulnerability can be exploited to steal sensitive information such as session cookies or to perform actions on behalf of the victim. | |||||
| CVE-2025-13697 | 2025-12-02 | N/A | 6.4 MEDIUM | ||
| The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘timestamp’ attribute in all versions up to, and including, 2.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||