Total
233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52654 | 2025-10-03 | N/A | 4.6 MEDIUM | ||
| A vulnerability in HCL HCL MyXalytics allows HTML InjectionThis issue affects HCL MyXalytics: 6.6. | |||||
| CVE-2014-2353 | 1 Cogentdatahub | 1 Cogent Datahub | 2025-10-03 | 7.1 HIGH | N/A |
| Cross-site scripting (XSS) vulnerability in Cogent DataHub before 7.3.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2025-11241 | 2025-10-03 | N/A | 6.4 MEDIUM | ||
| The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. This vulnerability allows a user with Contributor access or higher to create a post containing a malicious JavaScript payload. | |||||
| CVE-2025-10128 | 2025-10-02 | N/A | 6.4 MEDIUM | ||
| The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-61583 | 2025-10-02 | N/A | 4.3 MEDIUM | ||
| TS3 Manager is modern web interface for maintaining Teamspeak3 servers. A reflected cross-site scripting vulnerability has been identified in versions 2.2.1 and earlier. The vulnerability exists in the error handling mechanism of the login page, where malicious scripts embedded in server hostnames are executed in the victim's browser context without proper sanitization. This issue is fixed in version 2.2.2. | |||||
| CVE-2025-58054 | 2025-10-02 | N/A | 3.5 LOW | ||
| Discourse is an open-source community discussion platform. Versions 3.5.0 and below are vulnerable to XSS attacks through parsing and rendering of chat channel titles and chat thread titles via the quote message functionality when using the rich text editor. This issue is fixed in version 3.5.1. | |||||
| CVE-2025-57730 | 1 Jetbrains | 1 Intellij Idea | 2025-09-30 | N/A | 5.2 MEDIUM |
| In JetBrains IntelliJ IDEA before 2025.2 hTML injection was possible via Remote Development feature | |||||
| CVE-2025-8029 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-09-29 | N/A | 8.1 HIGH |
| Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | |||||
| CVE-2025-1997 | 1 Ibm | 2 Devops Deploy, Urbancode Deploy | 2025-09-29 | N/A | 5.4 MEDIUM |
| IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.0 / IBM DevOps Deploy 8.0 through 8.0.1.4 and 8.1 through 8.1 is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure. | |||||
| CVE-2025-60100 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore allows Code Injection. This issue affects XStore: from n/a through 9.5.3. | |||||
| CVE-2025-30210 | 1 Usebruno | 1 Bruno | 2025-09-23 | N/A | 6.1 MEDIUM |
| Bruno is an open source IDE for exploring and testing APIs. Prior to 1.39.1, the custom tool-tip components which internally use react-tooltip were setting the content (in this case the Environment name) as raw HTML which then gets injected into DOM on hover. This, combined with loose Content Security Policy restrictions, allowed any valid HTML text containing inline script to get executed on hovering over the respective Environment's name. This vulnerability's attack surface is limited strictly to scenarios where users import collections from untrusted or malicious sources. The exploit requires deliberate action from the user—specifically, downloading and opening an externally provided malicious Bruno or Postman collection export and the user hovers on the environment name. This vulnerability is fixed in 1.39.1. | |||||
| CVE-2025-57928 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Strategy11 Team AWP Classifieds allows Code Injection. This issue affects AWP Classifieds: from n/a through 4.3.5. | |||||
| CVE-2025-59573 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in CozyThemes Cozy Blocks allows Code Injection. This issue affects Cozy Blocks: from n/a through 2.1.29. | |||||
| CVE-2025-54589 | 1 9001 | 1 Copyparty | 2025-09-22 | N/A | 6.3 MEDIUM |
| Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `<script>` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7. | |||||
| CVE-2025-32027 | 1 Yiiframework | 1 Yii | 2025-09-17 | N/A | 6.1 MEDIUM |
| Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher. | |||||
| CVE-2025-10125 | 2025-09-17 | N/A | 6.4 MEDIUM | ||
| The Memberlite Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'row' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-35006 | 1 Ibm | 1 Security Qradar Edr | 2025-09-15 | N/A | 5.4 MEDIUM |
| IBM Security QRadar EDR 3.12 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | |||||
| CVE-2025-54789 | 1 Humhub | 1 Files | 2025-09-12 | N/A | 6.1 MEDIUM |
| Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed in version 0.16.10. | |||||
| CVE-2025-58430 | 2025-09-11 | N/A | N/A | ||
| listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available. | |||||
| CVE-2025-20342 | 2025-08-29 | N/A | 5.4 MEDIUM | ||
| A vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with low privileges to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid user credentials with privileges that allow for vKVM access on the affected device. Note: The affected vKVM client is also included in Cisco UCS Manager. | |||||