Total
37713 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7367 | 2025-07-15 | N/A | 6.4 MEDIUM | ||
| The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-7569 | 2025-07-15 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in Bigotry OneBase up to 1.3.6. It has been declared as problematic. Affected by this vulnerability is the function parse_args of the file /tpl/think_exception.tpl. The manipulation of the argument args leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-7672 | 2025-07-15 | N/A | 4.3 MEDIUM | ||
| The improper default setting in JiranSoft CrossEditor4 on Windows, Linux, Unix (API modules) potentaily allows Stored XSS. This issue affects CrossEditor4: from 4.0.0.01 before 4.6.0.23. | |||||
| CVE-2025-4369 | 2025-07-15 | N/A | 5.5 MEDIUM | ||
| The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘update_delay_days’ parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2025-53839 | 2025-07-15 | N/A | 4.0 MEDIUM | ||
| DRACOON is a file sharing service, and the DRACOON Branding Service allows customers to customize their DRACOON interface with their brand. Versions of the DRACOON Branding Service prior to 2.10.0 are vulnerable to cross-site scripting. Improper neutralization of input from administrative users could inject HTML code into the workflow for newly onboarded users. A fix was made available in version 2.10.0 and rolled out to the DRACOON service. DRACOON customers do not need to take action. | |||||
| CVE-2025-20250 | 1 Cisco | 1 Webex Meetings | 2025-07-14 | N/A | 6.1 MEDIUM |
| A vulnerability in Cisco Webex could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. A vulnerability is due to improper filtering of user-supplied input. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to conduct a cross-site scripting attack against the targeted user. | |||||
| CVE-2025-20247 | 1 Cisco | 1 Webex Meetings | 2025-07-14 | N/A | 6.1 MEDIUM |
| A vulnerability in Cisco Webex could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. A vulnerability is due to improper filtering of user-supplied input. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to conduct a cross-site scripting attack against the targeted user. | |||||
| CVE-2025-20246 | 1 Cisco | 1 Webex Meetings | 2025-07-14 | N/A | 6.1 MEDIUM |
| A vulnerability in Cisco Webex could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. A vulnerability is due to improper filtering of user-supplied input. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to conduct a cross-site scripting attack against the targeted user. | |||||
| CVE-2025-6430 | 1 Mozilla | 1 Firefox | 2025-07-14 | N/A | 6.1 MEDIUM |
| When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. | |||||
| CVE-2024-53679 | 1 Apache | 1 Vcl | 2025-07-14 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights. This issue affects all versions of Apache VCL through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue. | |||||
| CVE-2023-43039 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-07-14 | N/A | 6.1 MEDIUM |
| IBM OpenPages with Watson 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session | |||||
| CVE-2024-11824 | 1 Langgenius | 1 Dify | 2025-07-14 | N/A | 7.6 HIGH |
| A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like <input> and <form> are not disallowed, allowing an attacker to inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive information. This issue is fixed in version 0.12.1. | |||||
| CVE-2024-11684 | 1 Iseard | 1 Kudos Donations | 2025-07-14 | N/A | 6.1 MEDIUM |
| The Kudos Donations – Easy donations and payments with Mollie plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-3100 | 1 Wedevs | 1 Wp Project Manager | 2025-07-14 | N/A | 6.4 MEDIUM |
| The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping in tasks discussion. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2025-5528 | 1 Heateor | 1 Sassy Social Share | 2025-07-14 | N/A | 6.1 MEDIUM |
| The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link. | |||||
| CVE-2025-2918 | 1 Dotcamp | 1 Ultimate Blocks | 2025-07-14 | N/A | 6.4 MEDIUM |
| The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-22243 | 2 Broadcom, Vmware | 4 Vmware Nsx, Cloud Foundation, Telco Cloud Infrastructure and 1 more | 2025-07-14 | N/A | 7.5 HIGH |
| VMware NSX Manager UI is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper input validation. | |||||
| CVE-2025-22244 | 2 Broadcom, Vmware | 4 Vmware Nsx, Cloud Foundation, Telco Cloud Infrastructure and 1 more | 2025-07-14 | N/A | 6.9 MEDIUM |
| VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the gateway firewall due to improper input validation. | |||||
| CVE-2025-22245 | 2 Broadcom, Vmware | 4 Vmware Nsx, Cloud Foundation, Telco Cloud Infrastructure and 1 more | 2025-07-14 | N/A | 5.9 MEDIUM |
| VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the router port due to improper input validation. | |||||
| CVE-2024-12166 | 1 Cmorillas1 | 1 Shortcodes Blocks Creator Ultimate | 2025-07-14 | N/A | 6.1 MEDIUM |
| The Shortcodes Blocks Creator Ultimate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||