Total
40034 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34080 | 1 Contec | 1 Conprosys Hmi System | 2025-11-21 | 6.1 Medium |
| The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7. | ||||
| CVE-2025-64292 | 1 Wordpress | 1 Wordpress | 2025-11-21 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PascalBajorat Analytics Germanized for Google Analytics ga-germanized allows DOM-Based XSS.This issue affects Analytics Germanized for Google Analytics: from n/a through <= 1.6.2. | ||||
| CVE-2025-64176 | 2 Matiasdesuu, Thinkdashboard Project | 2 Thinkdashboard, Thinkdashboard | 2025-11-21 | 5.3 Medium |
| ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip file to bypass the client-side file-type verification. This could lead to stored XSS, or be used for other nefarious purposes such as malware distribution. This issue is fixed in version 0.6.8. | ||||
| CVE-2025-64177 | 2 Matiasdesuu, Thinkdashboard Project | 2 Thinkdashboard, Thinkdashboard | 2025-11-21 | 5.4 Medium |
| ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting (XSS) vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme filtering. This is fixed in version 0.6.8. | ||||
| CVE-2025-63543 | 2 Nooncarlett, Techstore | 2 Techstore, Techstore | 2025-11-21 | 6.1 Medium |
| TechStore 1.0 is vulnerable to Cross Site Scripting (XSS) in the /search_results endpoint via the q parameter. | ||||
| CVE-2025-63544 | 2 Nooncarlett, Techstore | 2 Techstore, Techstore | 2025-11-21 | 6.1 Medium |
| TechStore 1.0 is vulnerable to Cross Site Scripting (XSS) in /order_notes via the id parameter. | ||||
| CVE-2025-63211 | 1 Bridgetech | 1 Vbc Server Element Manager | 2025-11-21 | 6.1 Medium |
| Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint. | ||||
| CVE-2022-4979 | 1 Sitecore | 4 Cms, Experience Platform, Managed Cloud and 1 more | 2025-11-21 | N/A |
| A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected. | ||||
| CVE-2025-5350 | 1 Wso2 | 10 Api Control Plane, Api Manager, Carbon and 7 more | 2025-11-21 | 5.9 Medium |
| SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context. By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk. Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product. | ||||
| CVE-2025-64167 | 1 Combodo | 1 Itop | 2025-11-21 | 7.1 High |
| Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead. | ||||
| CVE-2025-7429 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-21 | 7.3 High |
| Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report. | ||||
| CVE-2025-7430 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-21 | 7.3 High |
| Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report. | ||||
| CVE-2025-7632 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-21 | 7.3 High |
| Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report. | ||||
| CVE-2025-63229 | 1 Dbbroadcast | 1 Mozart Fm Transmitter | 2025-11-21 | 5.4 Medium |
| The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an attacker can execute arbitrary code in the victim's browser, potentially stealing sensitive information, hijacking sessions, or performing unauthorized actions. | ||||
| CVE-2025-63514 | 1 Kishan0725 | 1 Hospital Management System | 2025-11-21 | 6.1 Medium |
| kishan0725 Hospital Management System has a Cross-Site Scripting (XSS) vulnerability in appsearch.php via the email parameter. | ||||
| CVE-2025-63243 | 1 Pixeon | 1 Weblaudos | 2025-11-21 | 4.6 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 (01). The sle_sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be executed in the victim's browser within the security context of the vulnerable application. This issue could allow attackers to steal session cookies, disclose sensitive information, perform unauthorized actions on behalf of the user, or conduct phishing attacks. | ||||
| CVE-2025-64325 | 1 Emby | 1 Emby | 2025-11-21 | N/A |
| Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated X-Emby-Client value, which gets added to the devices section of the admin dashboard without sanitization. This issue has been patched in version 4.8.1.0 and Beta version 4.9.0.0-beta. | ||||
| CVE-2025-11963 | 1 Saysis | 1 Starcities | 2025-11-21 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities allows Reflected XSS.This issue affects StarCities: before 1.1.61. | ||||
| CVE-2025-34032 | 1 Geoffrowland | 1 Jmol | 2025-11-20 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC. | ||||
| CVE-2025-63892 | 2 Remyandrade, Sourcecodester | 2 Student Grades Management System, Student Grades Management System | 2025-11-20 | 6.8 Medium |
| A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function create_classroom of the file /classroom.php of the component My Classrooms Management Page. This manipulation of the argument name/description causes stored cross site scripting. | ||||