Total
41075 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14284 | 1 Tiptap | 2 Tiptap, Tiptap\/extension-link | 2025-12-31 | 6.1 Medium |
| Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction. | ||||
| CVE-2024-9582 | 2 Bqworks, Wordpress | 2 Accordion Slider, Wordpress | 2025-12-31 | 6.4 Medium |
| The Accordion Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ attribute of an accordion slider in all versions up to, and including, 1.9.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Successful exploitation by Contributor-level users requires an Administrator-level user to provide access to the plugin's admin area via the `Access` plugin setting, which is restricted to administrators by default. | ||||
| CVE-2025-63035 | 2 Vibethemes, Wordpress | 2 Wordpress Learning Management System, Wordpress | 2025-12-31 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS.This issue affects WPLMS: from n/a through <= 1.9.9.5.4. | ||||
| CVE-2025-29231 | 1 Linksys | 2 E5600, E5600 Firmware | 2025-12-31 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in the page_save component of Linksys E5600 V1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hostname and domainName parameters. | ||||
| CVE-2025-47504 | 2025-12-30 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Custom Checkout Fields for WooCommerce, WPFactory Customer Email Verification for WooCommerce allows Stored XSS.This issue affects Custom Checkout Fields for WooCommerce: from n/a through 1.8.3; Customer Email Verification for WooCommerce: from n/a through 3.0.2. | ||||
| CVE-2025-15052 | 2 Code-projects, Fabian | 2 Student Information System, Student Information System | 2025-12-30 | 3.5 Low |
| A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | ||||
| CVE-2025-65754 | 1 Algernon Project | 1 Algernon | 2025-12-30 | 6.1 Medium |
| Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename. | ||||
| CVE-2024-24130 | 1 Mail2world | 1 Mail2world Webmail | 2025-12-30 | 6.1 Medium |
| Mail2World v12 Business Control Center was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Usr parameter at resellercenter/login.asp. | ||||
| CVE-2023-40262 | 1 Unify | 1 Openscape Voice Trace Manager | 2025-12-30 | 6.1 Medium |
| An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows unauthenticated Stored Cross-Site Scripting (XSS) in the administration component via Access Request. | ||||
| CVE-2025-14991 | 1 Campcodes | 1 Complete Online Beauty Parlor Management System | 2025-12-30 | 2.4 Low |
| A weakness has been identified in Campcodes Complete Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/bwdates-reports-details.php. Executing manipulation of the argument fromdate can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-14962 | 2 Carmelo, Code-projects | 2 Simple Stock System, Simple Stock System | 2025-12-30 | 4.3 Medium |
| A flaw has been found in code-projects Simple Stock System 1.0. The impacted element is an unknown function of the file /market/chatuser.php. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. | ||||
| CVE-2025-63498 | 2 Alinto, Debian | 2 Sogo, Debian Linux | 2025-12-30 | 6.1 Medium |
| alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. | ||||
| CVE-2024-1215 | 1 Remyandrade | 1 Crud Without Page Reload\/refresh | 2025-12-30 | 3.5 Low |
| A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file fetch_data.php. The manipulation of the argument username/city leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252782 is the identifier assigned to this vulnerability. | ||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | 9.6 Critical |
| Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | ||||
| CVE-2025-25939 | 1 Reprisesoftware | 1 Reprise License Manager | 2025-12-30 | 6.1 Medium |
| Reprise License Manager 14.2 is vulnerable to reflected cross-site scripting in /goform/activate_process via the akey parameter. | ||||
| CVE-2025-66021 | 1 Owasp | 1 Java Html Sanitizer | 2025-12-30 | 6.1 Medium |
| OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available. | ||||
| CVE-2024-58323 | 1 Kentico | 1 Xperience | 2025-12-30 | 5.4 Medium |
| A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute in users' browsers by exploiting HTML support in the form builder. | ||||
| CVE-2024-58322 | 1 Kentico | 1 Xperience | 2025-12-30 | 5.4 Medium |
| A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users' browsers. | ||||
| CVE-2024-58321 | 1 Kentico | 1 Xperience | 2025-12-30 | 5.4 Medium |
| A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers can exploit this vulnerability to execute malicious scripts that will run in users' browsers. | ||||
| CVE-2024-58319 | 1 Kentico | 1 Xperience | 2025-12-30 | 6.1 Medium |
| A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this vulnerability to execute malicious scripts in administrative users' browsers. | ||||