Total
37814 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11694 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-06-24 | N/A | 6.1 MEDIUM |
| Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. | |||||
| CVE-2024-50637 | 1 Webkul | 1 Unopim | 2025-06-24 | N/A | 5.4 MEDIUM |
| UnoPim 0.1.3 and below is vulnerable to Cross Site Scripting (XSS) in the Create User function. This allows attackers to perform XSS via an SVG document, which can be used to steal cookies. | |||||
| CVE-2023-2142 | 1 Mozilla | 1 Nunjucks | 2025-06-24 | N/A | 6.1 MEDIUM |
| In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character. | |||||
| CVE-2025-3643 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 5.4 MEDIUM |
| A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk. | |||||
| CVE-2025-6126 | 1 Phpgurukul | 1 Rail Pass Management System | 2025-06-24 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /contact.php. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2025-6125 | 1 Phpgurukul | 1 Rail Pass Management System | 2025-06-24 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/aboutus.php. The manipulation of the argument pagedes leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-6127 | 1 Phpgurukul | 1 Nipah Virus Testing Management System | 2025-06-24 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search-report.php. The manipulation of the argument serachdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-29280 | 1 Perfree | 1 Perfreeblog | 2025-06-24 | N/A | 4.8 MEDIUM |
| Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system settings interface allows an attacker to insert and execute arbitrary malicious code. | |||||
| CVE-2024-9699 | 1 Flatpress | 1 Flatpress | 2025-06-24 | N/A | 5.4 MEDIUM |
| A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting (XSS) attack if the uploaded file is accessed by other users. The issue is fixed in version 1.4.dev. | |||||
| CVE-2024-13209 | 1 Redaxo | 1 Redaxo | 2025-06-24 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in Redaxo CMS 5.18.1. It has been classified as problematic. Affected is an unknown function of the file /index.php?page=structure&category_id=1&article_id=1&clang=1&function=edit_art&artstart=0 of the component Structure Management Page. The manipulation of the argument Article Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-42898 | 1 Nagios | 1 Nagios Xi | 2025-06-24 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Nagios XI 2024R1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page. | |||||
| CVE-2024-55226 | 1 Dani-garcia | 1 Vaultwarden | 2025-06-24 | N/A | 5.4 MEDIUM |
| Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs. | |||||
| CVE-2024-51379 | 1 Jatos | 1 Jatos | 2025-06-24 | N/A | 8.4 HIGH |
| Stored Cross-Site Scripting (XSS) vulnerability discovered in JATOS v3.9.3. The vulnerability exists in the description component of the study section, where an attacker can inject JavaScript into the description field. This allows for the execution of malicious scripts when an admin views the description, potentially leading to account takeover and unauthorized actions. | |||||
| CVE-2024-51380 | 1 Jatos | 1 Jatos | 2025-06-24 | N/A | 8.4 HIGH |
| Stored Cross-Site Scripting (XSS) vulnerability discovered in the Properties Component of JATOS v3.9.3. This flaw allows an attacker to inject malicious JavaScript into the properties section of a study, specifically within the UUID field. When an admin user accesses the study's properties, the injected script is executed in the admin's browser, which could lead to unauthorized actions, including account compromise and privilege escalation. | |||||
| CVE-2023-1932 | 2 Hibernate, Redhat | 5 Hibernate-validator, Codeready Studio, Jboss Enterprise Application Platform and 2 more | 2025-06-24 | N/A | 6.1 MEDIUM |
| A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks. | |||||
| CVE-2024-28715 | 1 Html-js | 1 Doracms | 2025-06-24 | N/A | 8.8 HIGH |
| Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint. | |||||
| CVE-2024-40114 | 1 Sitecom | 2 Wlx-2006, Wlx-2006 Firmware | 2025-06-24 | N/A | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in Sitecom WLX-2006 Wall Mount Range Extender N300 v1.5 and before allows an attacker to manipulate the language cookie to inject malicious JavaScript code. | |||||
| CVE-2024-57427 | 1 Phpjabbers | 1 Cinema Booking System | 2025-06-24 | N/A | 6.1 MEDIUM |
| PHPJabbers Cinema Booking System v2.0 is vulnerable to reflected cross-site scripting (XSS). Multiple endpoints improperly handle user input, allowing malicious scripts to execute in a victim’s browser. Attackers can craft malicious links to steal session cookies or conduct phishing attacks. | |||||
| CVE-2024-57428 | 1 Phpjabbers | 1 Cinema Booking System | 2025-06-24 | N/A | 9.3 CRITICAL |
| A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat number configurations (number[new_X] in pjActionCreate). Attackers can inject persistent JavaScript, leading to phishing, malware injection, and session hijacking. | |||||
| CVE-2024-4023 | 1 Flatpress | 1 Flatpress | 2025-06-23 | N/A | 8.1 HIGH |
| A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML file. This allows an attacker to execute arbitrary JavaScript code, which can be used to steal user cookies, perform HTTP requests, and access content of the same origin. | |||||