Total
39124 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2864 | 1 Arteche | 2 Satech Bcu, Satech Bcu Firmware | 2025-10-10 | 6.1 Medium |
| SaTECH BCU in its firmware version 2.1.3 allows an attacker to inject malicious code into the legitimate website owning the affected device, once the cookie is set. This attack only impacts the victim's browser (reflected XSS). | ||||
| CVE-2025-60445 | 1 Xunruicms | 1 Xunruicms | 2025-10-10 | 6.1 Medium |
| A stored Cross-Site Scripting (XSS) vulnerability has been discovered in XunRuiCMS version 4.7.1. The vulnerability exists due to insufficient validation of SVG file uploads in the dayrui/Fcms/Library/Upload.php component, allowing attackers to inject malicious JavaScript code that executes when the uploaded file is viewed. | ||||
| CVE-2025-2865 | 1 Arteche | 2 Satech Bcu, Satech Bcu Firmware | 2025-10-10 | 6.1 Medium |
| SaTECH BCU, in its firmware version 2.1.3, could allow XSS attacks and other malicious resources to be stored on the web server. An attacker with some knowledge of the web application could send a malicious request to the victim users. Through this request, the victims would interpret the code (resources) stored on another malicious website owned by the attacker. | ||||
| CVE-2025-60298 | 2 Novel-plus, Xxyopen | 2 Novel-plus, Novel-plus | 2025-10-10 | 5.4 Medium |
| Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored in the database and executed when other users view the affected book chapter. | ||||
| CVE-2025-60299 | 2 Novel-plus, Xxyopen | 2 Novel-plus, Novel-plus | 2025-10-10 | 5.4 Medium |
| Novel-Plus with 5.2.0 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /book/addCommentReply endpoint. An authenticated user can inject malicious JavaScript through the replyContent parameter when replying to a book comment. The payload is stored in the database and is executed in other users’ browsers when they view the affected comment thread. | ||||
| CVE-2025-60314 | 1 Configuroweb | 2 Simple Web Inventory System, Sistema Web De Inventario | 2025-10-10 | 5.4 Medium |
| Configuroweb Sistema Web de Inventario 1.0 is vulnerable to a Stored Cross-Site Scripting (XSS) due to the lack of input sanitization on the product name parameter (Nombre:Producto) allowing an authenticated attacker to inject malicious payloads and execute arbitrary JavaScript. | ||||
| CVE-2025-60312 | 2 Rems, Sourcecodester | 2 Markdown To Html Converter, Markdown To Html Converter | 2025-10-10 | 6.1 Medium |
| Sourcecodester Markdown to HTML Converter v1.0 is vulnerable to a Cross-Site Scripting (XSS) in the "Markdown Input" field, allowing a remote attacker to inject arbitrary HTML/JavaScript code that executes in the victim's browser upon clicking the "Convert to HTML" button. | ||||
| CVE-2025-60967 | 2 Endrun, Endruntechnologies | 3 Sonoma D12 Network Time Server, Sonoma D12, Sonoma D12 Firmware | 2025-10-10 | 7.3 High |
| Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0076-000 Ver 4.00 allows attackers to gain sensitive information. | ||||
| CVE-2024-40626 | 1 Getoutline | 1 Outline | 2025-10-10 | 7.3 High |
| Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting (XSS) vulnerability in Outline. An authenticated user can create a document containing a malicious JavaScript payload. When other users view this document, the malicious Javascript can execute in the origin of Outline. Outline includes CSP rules to prevent third-party code execution, however in the case of self-hosting and having your file storage on the same domain as Outline a malicious payload can be uploaded as a file attachment and bypass those CSP restrictions. This issue has been addressed in release version 0.77.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-61773 | 1 Pyload | 1 Pyload | 2025-10-10 | 8.1 High |
| pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted. user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests. Version 0.5.0b3.dev91 contains a patch for the issue. | ||||
| CVE-2025-61319 | 2025-10-10 | 6.1 Medium | ||
| ReNgine thru 2.2.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability in the Vulnerabilities module. When scanning a target with an XSS payload, the unsanitized payload is rendered in the ReNgine web UI, resulting in arbitrary JavaScript execution in the victim's browser. This can be abused to steal session cookies, perform unauthorized actions, or compromise the ReNgine administrator's account. | ||||
| CVE-2025-60869 | 2025-10-10 | 7.3 High | ||
| Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the browsers of remote visitors viewing the generated static site. | ||||
| CVE-2025-0972 | 1 Zenvia | 1 Movidesk | 2025-10-10 | 3.5 Low |
| A vulnerability classified as problematic has been found in Zenvia Movidesk up to 25.01.22. This affects an unknown part of the component New Ticket Handler. The manipulation of the argument subject leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 25.01.22.245a473c54 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-0971 | 1 Zenvia | 1 Movidesk | 2025-10-10 | 3.5 Low |
| A vulnerability was found in Zenvia Movidesk up to 25.01.22. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /Account/EditProfile of the component Profile Editing. The manipulation of the argument username leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 25.01.22.245a473c54 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-11450 | 1 Servicenow | 1 Servicenow | 2025-10-10 | N/A |
| ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link. ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so. | ||||
| CVE-2024-2135 | 1 Bdtask | 1 Hospital Automanager | 2025-10-10 | 2.4 Low |
| A vulnerability was found in Bdtask Hospita AutoManager up to 20240223 and classified as problematic. This issue affects some unknown processing of the file /hospital_activities/birth/form of the component Hospital Activities Page. The manipulation of the argument Description with the input <img src=a onerror=alert(1)> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255497 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-55321 | 1 Microsoft | 1 Azure Monitor | 2025-10-10 | 8.7 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Monitor allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-62240 | 1 Liferay | 2 Dxp, Portal | 2025-10-10 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name or (3) Last Name text field. | ||||
| CVE-2023-6710 | 2 Modcluster, Redhat | 3 Mod Proxy Cluster, Enterprise Linux, Jboss Core Services | 2025-10-10 | 5.4 Medium |
| A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page. | ||||
| CVE-2025-40640 | 2025-10-10 | N/A | ||
| Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_invoice_submit.php”, using the “customerName_0” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | ||||