Total
36915 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-51063 | 1 Qstar | 1 Archive Storage Manager | 2025-06-03 | N/A | 8.8 HIGH |
| QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based Reflected Cross Site Scripting (XSS) vulnerability within the component qnme-ajax?method=tree_level. | |||||
| CVE-2023-50072 | 1 Openkm | 1 Openkm | 2025-06-03 | N/A | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenKM version 7.1.40 (dbb6e88) With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS. | |||||
| CVE-2023-4960 | 1 Wclovers | 1 Wcfm Marketplace | 2025-06-03 | N/A | 6.4 MEDIUM |
| The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-49260 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-03 | N/A | 6.1 MEDIUM |
| An XSS attack can be performed by changing the MOTD banner and pointing the victim to the "terminal_tool.cgi" path. It can be used together with the vulnerability CVE-2023-49255. | |||||
| CVE-2023-49258 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-03 | N/A | 6.1 MEDIUM |
| User browser may be forced to execute JavaScript and pass the authentication cookie to the attacker leveraging the XSS vulnerability located at "/gui/terminal_tool.cgi" in the "data" parameter. | |||||
| CVE-2025-5153 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-06-03 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, has been found in CMS Made Simple 2.2.21. This issue affects some unknown processing of the component Design Manager Module. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-23782 | 1 Appleple | 1 A-blog Cms | 2025-06-02 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege may execute an arbitrary script on the web browser of the user who accessed the website using the product. | |||||
| CVE-2025-31682 | 1 Google Tag Project | 1 Google Tag | 2025-06-02 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Google Tag allows Cross-Site Scripting (XSS).This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8. | |||||
| CVE-2025-25090 | 2025-06-02 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through 4.1. | |||||
| CVE-2023-7200 | 1 Myeventon | 1 Eventon | 2025-06-02 | N/A | 6.1 MEDIUM |
| The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-41513 | 1 4pace | 1 Cadclick | 2025-06-02 | N/A | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in "Artikel.aspx" in CADClick v1.11.0 and before allows remote attackers to inject arbitrary web script or HTML via the "searchindex" parameter. | |||||
| CVE-2024-41514 | 1 4pace | 1 Cadclick | 2025-06-02 | N/A | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in "PrevPgGroup.aspx" in CADClick v1.11.0 and before allows remote attackers to inject arbitrary web script or HTML via the "wer" parameter. | |||||
| CVE-2024-41515 | 1 4pace | 1 Cadclick | 2025-06-02 | N/A | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in "ccHandlerResource.ashx" in CADClick <= 1.11.0 allows remote attackers to inject arbitrary web script or HTML via the "res_url" parameter. | |||||
| CVE-2024-41516 | 1 4pace | 1 Cadclick | 2025-06-02 | N/A | 5.4 MEDIUM |
| A Reflected cross-site scripting (XSS) vulnerability in "ccHandler.aspx" CADClick <= 1.11.0 allows remote attackers to inject arbitrary web script or HTML via the "bomid" parameter. | |||||
| CVE-2025-3813 | 2025-06-02 | N/A | 6.4 MEDIUM | ||
| The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5378 | 2025-06-02 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic has been found in Astun Technology iShare Maps 5.4.0. This affects an unknown part of the file mycouncil2.aspx. The manipulation of the argument atTxtStreet leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-48883 | 2025-06-02 | N/A | N/A | ||
| Chrome PHP allows users to start playing with chrome/chromium in headless mode from PHP. Prior to version 1.14.0, CSS Selector expressions are not properly encoded, which can lead to XSS (cross-site scripting) vulnerabilities. This is patched in v1.14.0. As a workaround, users can apply encoding manually to their selectors if they are unable to upgrade. | |||||
| CVE-2025-5290 | 2025-06-02 | N/A | 6.4 MEDIUM | ||
| The Borderless – Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5412 | 2025-06-02 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability classified as problematic has been found in Mist Community Edition up to 4.7.1. Affected is the function Login of the file src/mist/api/views.py of the component Authentication Endpoint. The manipulation of the argument return_to leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The name of the patch is db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component. | |||||
| CVE-2024-3509 | 2025-06-02 | N/A | 4.3 MEDIUM | ||
| A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. While this issue enables persistent client-side script execution, session-related cookies remain protected with the httpOnly flag, preventing session hijacking. | |||||