Total
38053 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-43753 | 2025-08-21 | N/A | ||
| A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScript into the embedded message field from the form container. | ||||
| CVE-2024-47090 | 1 Nagvis | 1 Nagvis | 2025-08-21 | 6.1 Medium |
| Improper neutralization of input in Nagvis before version 1.9.47 which can lead to XSS | ||||
| CVE-2025-30203 | 1 Enalean | 1 Tuleap | 2025-08-21 | 4.8 Medium |
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the content of RSS feeds in the RSS widgets. A project administrator or someone with control over an used RSS feed could use this vulnerability to force victims to execute uncontrolled code. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742562878 and Tuleap Enterprise Edition 16.5-5 and 16.4-8. | ||||
| CVE-2025-53631 | 1 Dogukanurker | 1 Flaskblog | 2025-08-21 | 5.4 Medium |
| flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitting POST requests to /createpost leads to arbitrary JavaScript execution (XSS) on all pages the post is reflected on including /, /post/[ID], /admin/posts, and /user/[ID] of the user that made the post. At time of publication, there are no public patches available. | ||||
| CVE-2025-9017 | 1 Phpgurukul | 1 Zoo Management System | 2025-08-21 | 4.3 Medium |
| A vulnerability has been found in PHPGurukul Zoo Management System 2.1. This vulnerability affects unknown code of the file /admin/add-foreigner-ticket.php. The manipulation of the argument visitorname leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-55107 | 2025-08-21 | 4.8 Medium | ||
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | ||||
| CVE-2025-55106 | 2025-08-21 | 4.8 Medium | ||
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | ||||
| CVE-2025-55105 | 2025-08-21 | 4.8 Medium | ||
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | ||||
| CVE-2025-55104 | 2025-08-21 | 4.8 Medium | ||
| A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied JavaScript may execute in the victim's browser. | ||||
| CVE-2025-55103 | 2025-08-21 | 4.8 Medium | ||
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | ||||
| CVE-2025-57768 | 2025-08-21 | N/A | ||
| Phproject is a high performance full-featured project management system. From 1.8.0 to before 1.8.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Planned Hours field when creating a new project. When sending a POST request to /issues/new/, the value provided in the Planned Hours field is included in the server response without any HTML encoding or sanitization. Because of this, an attacker can craft a malicious payload such as <script>alert(1)</script> and include it in the planned_hours parameter. The server reflects the input directly in the HTML of the project creation page, causing the browser to interpret and execute it. This vulnerability is fixed in 1.8.3. | ||||
| CVE-2025-55742 | 2025-08-21 | 8 High | ||
| UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, UnoPim contains a stored cross-site scripting vulnerability via SVG MIME/sanitizer bypass in the /admin/settings/users/create endpoint. This vulnerability is fixed in 0.2.1. | ||||
| CVE-2025-49745 | 1 Microsoft | 1 Dynamics 365 | 2025-08-21 | 5.4 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-55522 | 2025-08-21 | 6.5 Medium | ||
| Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter. | ||||
| CVE-2025-31988 | 1 Hcltech | 1 Digital Experience | 2025-08-21 | 4.9 Medium |
| HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access. | ||||
| CVE-2025-8092 | 2 Cookies Consent Management Project, Drupal | 2 Cookies Consent Management, Cookies Consent Management | 2025-08-21 | 7.6 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.16. | ||||
| CVE-2024-47093 | 1 Nagvis | 1 Nagvis | 2025-08-21 | 8.8 High |
| Improper neutralization of input in Nagvis before version 1.9.42 which can lead to XSS | ||||
| CVE-2024-11623 | 1 Goauthentik | 1 Authentik | 2025-08-21 | 4.8 Medium |
| Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release. | ||||
| CVE-2025-55033 | 2 Apple, Mozilla | 3 Ios, Firefox Focus, Focus For Ios | 2025-08-21 | 6.1 Medium |
| Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks This vulnerability affects Focus for iOS < 142. | ||||
| CVE-2025-9167 | 1 Solidinvoice | 1 Solidinvoice | 2025-08-21 | 3.5 Low |
| A vulnerability has been found in SolidInvoice up to 2.4.0. This vulnerability affects unknown code of the file /invoice/recurring of the component Recurring Invoice Module. The manipulation of the argument client name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||