Total
41065 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14519 | 2 Baowzh, Hfly Project | 2 Hfly, Hfly | 2026-01-06 | 3.5 Low |
| A security flaw has been discovered in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. This issue affects some unknown processing of the file /admin/index.php/advtext/add of the component advtext Module. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-36746 | 1 Solaredge | 2 Monitoring Platform, Solaredge Monitoring Platform | 2026-01-06 | 5.4 Medium |
| SolarEdge monitoring platform contains a Cross‑Site Scripting (XSS) flaw that allows an authenticated user to inject payloads into report names, which may execute in a victim’s browser during a deletion attempt. | ||||
| CVE-2025-62857 | 2 Qnap, Qnap Systems Inc. | 2 Qumagie, Qumagie | 2026-01-05 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuMagie 2.8.1 and later | ||||
| CVE-2025-62137 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shuttlethemes Shuttle allows Stored XSS.This issue affects Shuttle: from n/a through 1.5.0. | ||||
| CVE-2025-62758 | 2 Funnelforms, Wordpress | 2 Funnelforms Free, Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through 3.8. | ||||
| CVE-2025-62759 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Series allows Stored XSS.This issue affects Series: from n/a through 2.0.1. | ||||
| CVE-2025-62760 | 2 Buddypress, Wordpress | 2 Buddypress, Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8. | ||||
| CVE-2025-63000 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP for church Sermon Manager allows Stored XSS.This issue affects Sermon Manager: from n/a through 2.30.0. | ||||
| CVE-2025-68928 | 1 Frappe | 2 Frappe, Frappe Crm | 2026-01-05 | 5.4 Medium |
| Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available. | ||||
| CVE-2024-35239 | 1 Umbraco | 1 Umbraco Forms | 2026-01-05 | 2.7 Low |
| Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13). | ||||
| CVE-2025-66845 | 2 Nooncarlett, Techstore | 2 Techstore, Techstore | 2026-01-05 | 6.1 Medium |
| A reflected Cross-Site Scripting (XSS) vulnerability has been identified in TechStore version 1.0. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim’s browser. | ||||
| CVE-2025-65270 | 1 Clincapture | 1 Captivate Electronic Data Capture | 2026-01-05 | 6.1 Medium |
| Reflected cross-site scripting (XSS) vulnerability in ClinCapture EDC 3.0 and 2.2.3, allowing an unauthenticated remote attacker to execute JavaScript code in the context of the victim's browser. | ||||
| CVE-2024-35321 | 1 Airc | 1 Mynet | 2026-01-05 | 4.3 Medium |
| MyNET up to v26.08 was discovered to contain a Reflected cross-site scripting (XSS) vulnerability via the msgtipo parameter. | ||||
| CVE-2025-65790 | 1 Realtimelogic | 1 Fuguhub | 2026-01-05 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in FuguHub 8.1 when serving SVG files through the /fs/ file manager interface. FuguHub does not sanitize or restrict script execution inside SVG content. When a victim opens a crafted SVG containing an inline <script> element, the browser executes the attacker-controlled JavaScript. | ||||
| CVE-2025-65837 | 2 Publiccms, Sanluan | 2 Publiccms, Publiccms | 2026-01-05 | 5.4 Medium |
| PublicCMS V5.202506.b is vulnerable to Cross Site Scripting (XSS) in the Content Search module. | ||||
| CVE-2025-9550 | 2 Drupal, Facets Project | 2 Drupal, Facets | 2026-01-05 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1. | ||||
| CVE-2024-20534 | 1 Cisco | 46 Desk Phone 9841, Desk Phone 9841 With Multiplatform Firmware, Desk Phone 9851 and 43 more | 2026-01-05 | 4.8 Medium |
| A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default. | ||||
| CVE-2024-20533 | 1 Cisco | 46 Desk Phone 9841, Desk Phone 9841 With Multiplatform Firmware, Desk Phone 9851 and 43 more | 2026-01-05 | 4.8 Medium |
| A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default. | ||||
| CVE-2025-65233 | 2 Slims, Slims Project | 2 Slims 9 Bulian, Slims | 2026-01-05 | 6.1 Medium |
| Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | ||||
| CVE-2025-69089 | 2 Wordpress, Wpautolistings | 2 Wordpress, Auto Listings | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in autolistings Auto Listings auto-listings allows Stored XSS.This issue affects Auto Listings: from n/a through <= 2.7.1. | ||||