Total
39359 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-57875 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-57874 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-57873 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-57871 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-11663 | 1 Campcodes | 1 Online Beauty Parlor Management System | 2025-10-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A weakness has been identified in Campcodes Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/manage-services.php. This manipulation of the argument sername causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-54089 | 1 Absolute | 1 Secure Access | 2025-10-16 | N/A | 3.4 LOW |
| CVE-2025-54089 is a cross-site scripting vulnerability in versions of secure access prior to 14.10. Attackers with administrative access to the console can interfere with another administrator’s access to the console. The attack complexity is low; there are no attack requirements. Privileges required to execute the attack are high and the victim must actively participate in the attack sequence. There is no impact to confidentiality or availability, there is a low impact to integrity. | |||||
| CVE-2025-56807 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-10-16 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in FairSketch RISE Ultimate Project Manager & CRM 3.9.4 allows an administrator to store a JavaScript payload using the file explorer in the admin dashboard when creating new folders. | |||||
| CVE-2025-11146 | 1 Apt-cacher-ng Project | 1 Apt-cacher-ng | 2025-10-16 | N/A | 5.4 MEDIUM |
| Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows an attacker to execute malicious scripts (XSS) in the web management application. The vulnerability is caused by improper handling of GET inputs included in the URL in “/acng-report.html”. | |||||
| CVE-2025-11147 | 1 Apt-cacher-ng Project | 1 Apt-cacher-ng | 2025-10-16 | N/A | 5.4 MEDIUM |
| Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows malicious scripts (XSS) to be executed in “/html/<filename>.html”. | |||||
| CVE-2025-55996 | 1 Rakuten | 1 Viber | 2025-10-16 | N/A | 6.3 MEDIUM |
| Viber Desktop 25.6.0 is vulnerable to HTML Injection via the text parameter of the message compose/forward interface | |||||
| CVE-2025-56795 | 1 Mealie | 1 Mealie | 2025-10-16 | N/A | 9.0 CRITICAL |
| Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS. | |||||
| CVE-2025-60308 | 1 Fabian | 1 Simple Online Hotel Reservation System | 2025-10-16 | N/A | 4.1 MEDIUM |
| code-projects Simple Online Hotel Reservation System 1.0 has a Cross Site Scripting (XSS) vulnerability in the Add Room function of the online hotel reservation system. Malicious JavaScript code is entered in the Description field, which can leak the administrator's cookie information when browsing this room information | |||||
| CVE-2025-45585 | 1 Audi | 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware | 2025-10-16 | N/A | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the wifi_sta_ssid or wifi_ap_ssid parameters. | |||||
| CVE-2025-61797 | 2025-10-16 | N/A | 5.4 MEDIUM | ||
| Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed. | |||||
| CVE-2025-59429 | 2025-10-16 | N/A | N/A | ||
| FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16 and versions prior to 17.0.18.38 for FreePBX 17, a reflected cross-site scripting vulnerability is present on the Asterisk HTTP Status page. The Asterisk HTTP status page is exposed by FreePBX and is available by default on version 16 via any bound IP address at port 8088. By default on version 17, the binding is only to localhost IP, making it significantly less vulnerable. The vulnerability can be exploited by unauthenticated attackers to obtain cookies from logged-in users, allowing them to hijack a session of an administrative user. The theft of admin session cookies allows attackers to gain control over the FreePBX admin interface, enabling them to access sensitive data, modify system configurations, create backdoor accounts, and cause service disruption. This issue has been patched in version 16.0.68.39 for FreePBX 16 and version 17.0.18.38 for FreePBX 17. | |||||
| CVE-2025-60374 | 2025-10-16 | N/A | 6.1 MEDIUM | ||
| Stored Cross-Site Scripting (XSS) in Perfex CRM chatbot before 3.3.1 allows attackers to inject arbitrary HTML/JavaScript. The payload is executed in the browsers of users viewing the chat, resulting in client-side code execution, potential session token theft, and other malicious actions. A different vulnerability than CVE-2024-8867. | |||||
| CVE-2025-54272 | 2025-10-16 | N/A | 5.4 MEDIUM | ||
| Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed. | |||||
| CVE-2025-61796 | 2025-10-16 | N/A | 5.4 MEDIUM | ||
| Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed. | |||||
| CVE-2025-52583 | 2025-10-16 | N/A | 6.1 MEDIUM | ||
| Reflected cross-site scripting (XSS) vulnerability in desknet's Web Server allows execution of arbitrary JavaScript in a user’s web browser. | |||||
| CVE-2025-10135 | 2025-10-16 | N/A | 6.4 MEDIUM | ||
| The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||