Total
271 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64764 | 1 Astro | 1 Astro | 2025-11-20 | N/A | 7.1 HIGH |
| Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8. | |||||
| CVE-2025-54346 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-20 | N/A | 7.6 HIGH |
| A Reflected Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing sensitive information. | |||||
| CVE-2025-54348 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-20 | N/A | 6.5 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing sensitive information. | |||||
| CVE-2025-58412 | 1 Fortinet | 1 Fortiadc | 2025-11-20 | N/A | 4.7 MEDIUM |
| A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or commands via crafted URL. | |||||
| CVE-2024-54128 | 1 Monospace | 1 Directus | 2025-11-19 | N/A | 5.7 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0. | |||||
| CVE-2025-13178 | 2025-11-18 | 4.0 MEDIUM | 3.5 LOW | ||
| A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-13180 | 2025-11-18 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /edit_profile. Performing manipulation of the argument first_name/last_name results in basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8386 | 2025-11-18 | N/A | 6.9 MEDIUM | ||
| The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical escalation of privileges. The vulnerability can only be exploited during config-time operations within the IDE component of Application Server. Run-time components and operations are not affected. | |||||
| CVE-2025-11265 | 2025-11-18 | N/A | 6.4 MEDIUM | ||
| The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads sanitization callbacks from the wrong variable ($custom_field_name instead of $custom_field_options), causing the sanitization to never be applied. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute when a user accesses an injected page.", | |||||
| CVE-2025-11267 | 2025-11-18 | N/A | 6.4 MEDIUM | ||
| The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page. | |||||
| CVE-2025-60244 | 2025-11-17 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable allows Code Injection.This issue affects TableOn: from n/a through <= 1.0.4.2. | |||||
| CVE-2025-62936 | 2025-11-13 | N/A | 6.1 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Jthemes xSmart xsmart allows Code Injection.This issue affects xSmart: from n/a through <= 1.2.9.4. | |||||
| CVE-2025-62897 | 2025-11-13 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Code Injection.This issue affects WP Recipe Maker: from n/a through <= 10.1.1. | |||||
| CVE-2025-58970 | 2025-11-13 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AmentoTech Doctreat doctreat allows Code Injection.This issue affects Doctreat: from n/a through <= 1.6.7. | |||||
| CVE-2025-49398 | 2025-11-13 | N/A | 6.1 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Easy Appointments Easy Appointments easy-appointments allows Code Injection.This issue affects Easy Appointments: from n/a through <= 3.12.14. | |||||
| CVE-2025-33110 | 2025-11-12 | N/A | 5.4 MEDIUM | ||
| IBM OpenPages 9.1, and 9.0 with Watson is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | |||||
| CVE-2025-64187 | 2025-11-12 | N/A | N/A | ||
| OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance. This issue is fixed in version 1.11.4. | |||||
| CVE-2025-11874 | 2025-11-12 | N/A | 5.4 MEDIUM | ||
| The Slippy Slider – Responsive Touch Navigation Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'slippy-slider' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-12753 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
| The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzez_chart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-48884 | 1 Galette | 1 Galette | 2025-11-10 | N/A | 6.1 MEDIUM |
| Galette is a membership management web application for non profit organizations. In versions 1.1.5.2 and below, Galette's Document Type is vulnerable to Cross-site Scripting. This issue is fixed in version 1.2.0. | |||||