Total
39238 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63885 | 2025-10-30 | N/A | 6.1 MEDIUM | ||
| A stored cross-site scripting (XSS) vulnerability in AIxBlock commit 04f305 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the model_desc field. | |||||
| CVE-2025-62265 | 2025-10-30 | N/A | N/A | ||
| Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's “Content” text field The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page. | |||||
| CVE-2025-56313 | 2025-10-30 | N/A | 6.1 MEDIUM | ||
| A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 (inclusive). This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an authenticated admin user accesses the study's URL, the malicious script gets interpreted and executes within their browser, which can lead to unauthorized actions, account compromise, and privilege escalation. | |||||
| CVE-2025-50055 | 2025-10-30 | N/A | 6.4 MEDIUM | ||
| Cross-site scripting (XSS) vulnerability in the SAML Authentication module in OpenVPN Access Server version 2.14.0 through 2.14.3 allows configured remote SAML Assertion Consumer Service (ACS) endpoint servers to inject arbitrary web script or HTML via the RelayState parameter | |||||
| CVE-2025-2161 | 1 Pega | 1 Pega Platform | 2025-10-30 | N/A | 7.1 HIGH |
| Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup | |||||
| CVE-2025-2160 | 1 Pega | 1 Pega Platform | 2025-10-30 | N/A | 8.1 HIGH |
| Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup | |||||
| CVE-2025-32809 | 1 Wwnorton | 1 Inquizitive | 2025-10-30 | N/A | 6.4 MEDIUM |
| W. W. Norton InQuizitive through 2025-04-08 allows students to conduct stored XSS attacks against educators via a bonus description, feedback.choice_fb[], or question_id. | |||||
| CVE-2025-64112 | 2025-10-30 | N/A | 8.0 HIGH | ||
| Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1. | |||||
| CVE-2025-8848 | 1 Librechat | 1 Librechat | 2025-10-30 | N/A | 5.4 MEDIUM |
| A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the <html lang=""> tag of the response. This can lead to potential security risks such as cross-site scripting (XSS) attacks. | |||||
| CVE-2025-10534 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-10-30 | N/A | 8.1 HIGH |
| Spoofing issue in the Site Permissions component. This vulnerability affects Firefox < 143 and Thunderbird < 143. | |||||
| CVE-2025-62528 | 1 Taguette | 1 Taguette | 2025-10-30 | N/A | 5.4 MEDIUM |
| Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. This issue has been patched in version 1.5.0. | |||||
| CVE-2025-10869 | 1 Oct8ne | 1 Chatbot | 2025-10-30 | N/A | 6.1 MEDIUM |
| Stored Cross-site Scripting (XSS) in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through /Data/SaveInteractions. | |||||
| CVE-2025-36592 | 2025-10-30 | N/A | 5.4 MEDIUM | ||
| Dell Secure Connect Gateway (SCG) Policy Manager, version(s) 5.20. 5.22, 5.24, 5.26, 5.28, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Script injection. | |||||
| CVE-2025-34253 | 1 Dlink | 1 Nuclias Connect | 2025-10-30 | N/A | 5.4 MEDIUM |
| D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain a stored cross-site scripting (XSS) vulnerability due to improper sanitization of the 'Network' field when editing the configuration, creating a profile, and adding a network. An authenticated attacker can inject arbitrary JavaScript to be executed in the context of other users viewing the profile entry. NOTE: D-Link states that a fix is under development. | |||||
| CVE-2024-43573 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-30 | N/A | 6.5 MEDIUM |
| Windows MSHTML Platform Spoofing Vulnerability | |||||
| CVE-2024-12374 | 1 Automatic1111 | 1 Stable-diffusion-webui | 2025-10-30 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in automatic1111/stable-diffusion-webui version git 82a973c. An attacker can upload an HTML file, which the application interprets as content-type application/html. If a victim accesses the malicious link, it will execute arbitrary JavaScript in the victim's browser. | |||||
| CVE-2025-5347 | 2025-10-30 | N/A | 6.3 MEDIUM | ||
| Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module. | |||||
| CVE-2025-5343 | 2025-10-30 | N/A | 6.3 MEDIUM | ||
| Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option. | |||||
| CVE-2025-12083 | 2025-10-30 | N/A | 6.1 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0. | |||||
| CVE-2025-10931 | 2025-10-30 | N/A | 3.8 LOW | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1. | |||||