Total
35845 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-12807 | 1 Artlosk | 1 Social Share Buttons | 2025-05-11 | 4.8 Medium |
| The Social Share Buttons for WordPress plugin through 2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2022-42114 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-10 | 5.4 Medium |
| A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML. | ||||
| CVE-2022-42113 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-10 | 6.1 Medium |
| A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter. | ||||
| CVE-2025-46453 | 2025-05-10 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreatorTeam Zoho Creator Forms allows Stored XSS. This issue affects Zoho Creator Forms: from n/a through 1.0.5. | ||||
| CVE-2025-30900 | 2025-05-10 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing – Embed Payment Form allows Stored XSS. This issue affects Zoho Billing – Embed Payment Form: from n/a through 4.0. | ||||
| CVE-2024-11922 | 1 Fortra | 1 Goanywhere Managed File Transfer | 2025-05-10 | 6.3 Medium |
| Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email. | ||||
| CVE-2022-25849 | 1 Hyperdown Project | 1 Hyperdown | 2025-05-09 | 5.4 Medium |
| The package joyqi/hyper-down from 0.0.0 are vulnerable to Cross-site Scripting (XSS) because the module of parse markdown does not filter the href attribute very well. | ||||
| CVE-2024-0189 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2025-05-09 | 3.5 Low |
| A vulnerability has been found in RRJ Nueva Ecija Engineer Online Portal 1.0 and classified as problematic. This vulnerability affects unknown code of the file teacher_message.php of the component Create Message Handler. The manipulation of the argument Content with the input </title><scRipt>alert(x)</scRipt> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249502 is the identifier assigned to this vulnerability. | ||||
| CVE-2025-46338 | 1 Audiobookshelf | 1 Audiobookshelf | 2025-05-09 | 6.1 Medium |
| Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the `/api/upload` endpoint allows an attacker to perform a reflected cross-site scripting (XSS) attack by submitting malicious payloads in the `libraryId` field. The unsanitized input is reflected in the server’s error message, enabling arbitrary JavaScript execution in a victim's browser. This issue has been patched in version 2.21.0. | ||||
| CVE-2025-46343 | 1 N8n | 1 N8n | 2025-05-09 | 5 Medium |
| n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no restriction on the MIME type of uploaded files, and the MIME type could be controlled via a GET parameter. This allows the server to respond with any MIME type, potentially enabling malicious content to be interpreted and executed by the browser. An authenticated attacker with member-level permissions could exploit this by uploading a crafted HTML file containing malicious JavaScript. When another user visits the binary data endpoint with the MIME type set to text/html, the script executes in the context of the user’s session. This script could send a request to change the user’s email address in their account settings, effectively enabling account takeover. This issue has been patched in version 1.90.0. | ||||
| CVE-2021-45476 | 1 Yordam | 1 Library Automation System | 2025-05-09 | 4.7 Medium |
| Yordam Library Information Document Automation product before version 19.02 has an unauthenticated reflected XSS vulnerability. | ||||
| CVE-2023-52059 | 1 Gestsup | 1 Gestsup | 2025-05-09 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in Gestsup v3.2.46 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field. | ||||
| CVE-2022-3391 | 1 Retain | 1 Retain Live Chat | 2025-05-09 | 4.8 Medium |
| The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2022-3350 | 1 Tech-banker | 1 Contact Bank | 2025-05-09 | 4.8 Medium |
| The Contact Bank WordPress plugin through 3.0.30 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2022-34870 | 1 Apache | 1 Geode | 2025-05-09 | 5.4 Medium |
| Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. | ||||
| CVE-2022-40184 | 1 Bosch | 2 Videojet Multi 4000, Videojet Multi 4000 Firmware | 2025-05-09 | 5.1 Medium |
| Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option. | ||||
| CVE-2024-22130 | 1 Sap | 1 Crm - Webclient Ui | 2025-05-09 | 7.6 High |
| Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. An attacker with low privileges can cause limited impact to confidentiality and integrity of the appliaction data after successful exploitation. | ||||
| CVE-2024-21396 | 1 Microsoft | 1 Dynamics 365 | 2025-05-09 | 7.6 High |
| Dynamics 365 Sales Spoofing Vulnerability | ||||
| CVE-2024-21327 | 1 Microsoft | 1 Dynamics 365 | 2025-05-09 | 7.6 High |
| Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | ||||
| CVE-2024-24160 | 1 Mrcms | 1 Mrcms | 2025-05-09 | 6.1 Medium |
| MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do. | ||||