Total
41063 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63947 | 2 Craigtaub, Phpmsadmin | 2 Phpmsadmin, Phpmsadmin | 2026-01-06 | 5.4 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary web script or HTML via the dbname parameter after a user is authenticated. | ||||
| CVE-2023-49269 | 1 Jayesh | 1 Hotel Management System | 2026-01-06 | 5.4 Medium |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'adults' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | ||||
| CVE-2025-15437 | 2026-01-06 | 3.5 Low | ||
| A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 6.1.26 and 6.3 is able to mitigate this issue. The patch is named 264ac5b2be5b3c673ebd8cb862e673f5d300d9a7. The affected component should be upgraded. | ||||
| CVE-2025-40891 | 2 Nozomi Networks, Nozominetworks | 4 Cmc, Guardian, Cmc and 1 more | 2026-01-06 | 4.7 Medium |
| A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset attributes across two snapshots. Exploitation requires a victim to use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, at which point the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy. Attack complexity is high due to multiple required conditions. | ||||
| CVE-2025-40892 | 2 Nozomi Networks, Nozominetworks | 4 Cmc, Guardian, Cmc and 1 more | 2026-01-06 | 8.9 High |
| A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | ||||
| CVE-2025-40893 | 2 Nozomi Networks, Nozominetworks | 4 Cmc, Guardian, Cmc and 1 more | 2026-01-06 | 6.1 Medium |
| A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | ||||
| CVE-2023-49270 | 1 Jayesh | 1 Hotel Management System | 2026-01-06 | 5.4 Medium |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'check_in_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | ||||
| CVE-2023-49271 | 1 Jayesh | 1 Hotel Management System | 2026-01-06 | 5.4 Medium |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'check_out_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | ||||
| CVE-2025-67703 | 3 Esri, Linux, Microsoft | 4 Arcgis Server, Linux, Linux Kernel and 1 more | 2026-01-06 | 6.1 Medium |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | ||||
| CVE-2025-67704 | 3 Esri, Linux, Microsoft | 4 Arcgis Server, Linux, Linux Kernel and 1 more | 2026-01-06 | 6.1 Medium |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | ||||
| CVE-2025-67705 | 3 Esri, Linux, Microsoft | 4 Arcgis Server, Linux, Linux Kernel and 1 more | 2026-01-06 | 6.1 Medium |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | ||||
| CVE-2025-67708 | 3 Esri, Linux, Microsoft | 4 Arcgis Server, Linux, Linux Kernel and 1 more | 2026-01-06 | 6.1 Medium |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | ||||
| CVE-2025-67709 | 3 Esri, Linux, Microsoft | 4 Arcgis Server, Linux, Linux Kernel and 1 more | 2026-01-06 | 6.1 Medium |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | ||||
| CVE-2025-67710 | 3 Esri, Linux, Microsoft | 4 Arcgis Server, Linux, Linux Kernel and 1 more | 2026-01-06 | 6.1 Medium |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | ||||
| CVE-2025-67711 | 3 Esri, Linux, Microsoft | 4 Arcgis Server, Linux, Linux Kernel and 1 more | 2026-01-06 | 6.1 Medium |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | ||||
| CVE-2025-14519 | 2 Baowzh, Hfly Project | 2 Hfly, Hfly | 2026-01-06 | 3.5 Low |
| A security flaw has been discovered in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. This issue affects some unknown processing of the file /admin/index.php/advtext/add of the component advtext Module. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-36746 | 1 Solaredge | 2 Monitoring Platform, Solaredge Monitoring Platform | 2026-01-06 | 5.4 Medium |
| SolarEdge monitoring platform contains a Cross‑Site Scripting (XSS) flaw that allows an authenticated user to inject payloads into report names, which may execute in a victim’s browser during a deletion attempt. | ||||
| CVE-2025-62857 | 2 Qnap, Qnap Systems Inc. | 2 Qumagie, Qumagie | 2026-01-05 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuMagie 2.8.1 and later | ||||
| CVE-2025-62137 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shuttlethemes Shuttle allows Stored XSS.This issue affects Shuttle: from n/a through 1.5.0. | ||||
| CVE-2025-62758 | 2 Funnelforms, Wordpress | 2 Funnelforms Free, Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through 3.8. | ||||