Total
37690 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7661 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-7887 | 2025-07-22 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability has been found in Zavy86 WikiDocs up to 1.0.78 and classified as problematic. This vulnerability affects unknown code of the file template.inc.php. The manipulation of the argument path leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-7354 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-52169 | 2025-07-22 | N/A | 7.1 HIGH | ||
| agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2025-6235 | 2025-07-22 | N/A | N/A | ||
| In ExtremeControl before 25.5.12, a cross-site scripting (XSS) vulnerability was discovered in a login interface of the affected application. The issue stems from improper handling of user-supplied input within HTML attributes, allowing an attacker to inject script code that may execute in a user's browser under specific interaction conditions. Successful exploitation could lead to exposure of user data or unauthorized actions within the browser context. | |||||
| CVE-2025-41681 | 2025-07-22 | N/A | 4.8 MEDIUM | ||
| A high privileged remote attacker can gain persistent XSS via POST requests due to improper neutralization of special elements used to create dynamic content. | |||||
| CVE-2025-50582 | 2025-07-22 | N/A | 4.8 MEDIUM | ||
| StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Course module. | |||||
| CVE-2025-7885 | 2025-07-22 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in Huashengdun WebSSH up to 1.6.2. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument hostname/port leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-7800 | 2025-07-22 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability classified as problematic was found in cgpandey hotelmis up to c572198e6c4780fccc63b1d3e8f3f72f825fc94e. This vulnerability affects unknown code of the file admin.php of the component HTTP GET Request Handler. The manipulation of the argument Search leads to cross site scripting. The attack can be initiated remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | |||||
| CVE-2025-4685 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widgets, in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-46383 | 2025-07-22 | N/A | 6.1 MEDIUM | ||
| CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | |||||
| CVE-2025-4284 | 2025-07-22 | N/A | 6.1 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Rolantis Information Technologies Agentis allows Reflected XSS, DOM-Based XSS.This issue affects Agentis: before 4.32. | |||||
| CVE-2025-6831 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's urcr_restrict shortcode in all versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5240 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2020-26799 | 2025-07-22 | N/A | 9.8 CRITICAL | ||
| A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data. | |||||
| CVE-2025-7486 | 2025-07-22 | N/A | 4.4 MEDIUM | ||
| The Ebook Store plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Order Details in all versions up to, and including, 5.8012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2025-7495 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpmem_login_link' shortcode in all versions up to, and including, 3.5.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-7644 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in all widgets in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-8017 | 1 Openwebui | 1 Open Webui | 2025-07-21 | N/A | 9.0 CRITICAL |
| An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat history, deleting chats, and escalating their own account to an admin if the victim is an admin. | |||||
| CVE-2024-7990 | 1 Openwebui | 1 Open Webui | 2025-07-21 | N/A | 8.4 HIGH |
| A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution. | |||||