Total
40035 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13244 | 2 Code-projects, Fabian | 2 Student Information System, Student Information System | 2025-11-19 | 4.3 Medium |
| A vulnerability was determined in code-projects Student Information System 2.0. The affected element is an unknown function of the file /register.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-13245 | 2 Code-projects, Fabian | 2 Student Information System, Student Information System | 2025-11-19 | 3.5 Low |
| A vulnerability was identified in code-projects Student Information System 2.0. The impacted element is an unknown function of the file /editprofile.php. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-64046 | 1 Openrapid | 1 Rapidcms | 2025-11-19 | 6.1 Medium |
| OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /system/update-run.php. | ||||
| CVE-2024-44647 | 1 Phpgurukul | 1 Small Crm | 2025-11-19 | 6.1 Medium |
| PHPGurukul Small CRM 3.0 is vulnerable to Cross Site Scripting (XSS) via the aremark parameter in manage-tickets.php. | ||||
| CVE-2024-46334 | 1 Kashipara | 1 School Management System | 2025-11-19 | 6.1 Medium |
| kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the formuser and formpassword parameters in /adminLogin.php. | ||||
| CVE-2024-46336 | 1 Kashipara | 1 School Management System | 2025-11-19 | 6.1 Medium |
| kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /client_user/feedback.php. | ||||
| CVE-2024-46335 | 1 Phpgurukul | 1 Complaint Management System | 2025-11-19 | 4.6 Medium |
| PHPGurukul Complaint Management System 2.0 is vulnerble to Cross Site Scripting (XSS) via the fromdate and todate parameters in between-date-userreport.php. | ||||
| CVE-2025-12457 | 2 Ideastocode, Wordpress | 2 Enable Svg, Webp & Ico Upload, Wordpress | 2025-11-19 | 6.4 Medium |
| The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2025-13196 | 2 Bdthemes, Wordpress | 3 Element Pack, Element Pack Elementor Addons, Wordpress | 2025-11-19 | 5.4 Medium |
| The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the render function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12079 | 2 F1logic, Wordpress | 2 Wp Twitter Auto Publish, Wordpress | 2025-11-19 | 6.1 Medium |
| The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-12078 | 2 Artibot, Wordpress | 2 Artibot, Wordpress | 2025-11-19 | 6.1 Medium |
| The ArtiBot Free Chat Bot for WebSites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-12691 | 2 Sayontan, Wordpress | 2 Photonic Gallery & Lightbox, Wordpress | 2025-11-19 | 6.4 Medium |
| The Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox functionality in all versions up to, and including, 3.21 due to insufficient input sanitization and output escaping on user supplied caption attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | ||||
| CVE-2025-34157 | 1 Coollabs | 1 Coolify | 2025-11-19 | 9.0 Critical |
| Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers. | ||||
| CVE-2025-34281 | 1 Thingsboard | 1 Thingsboard | 2025-11-19 | 5.4 Medium |
| ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files. | ||||
| CVE-2024-45712 | 1 Solarwinds | 1 Serv-u | 2025-11-18 | 2.6 Low |
| SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low. | ||||
| CVE-2025-4212 | 2 Wordpress, Wpwham | 2 Wordpress, Checkout Files Upload For Woocommerce | 2025-11-18 | 7.2 High |
| The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in image files that will execute whenever a user accesses the injected page. | ||||
| CVE-2025-12088 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 6.4 Medium |
| The Meta Display Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meta Display Block in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-44655 | 1 Phpgurukul | 1 Complaint Management System | 2025-11-18 | 6.1 Medium |
| PHPGurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) via the search parameter in user-search.php. | ||||
| CVE-2024-44661 | 1 Phpgurukul | 1 Online Shopping Portal | 2025-11-18 | 5.4 Medium |
| PHPGurukul Online Shopping Portal 2.0 is vulnerable to Cross Site Scripting (XSS) via the quantity parameter in my-cart.php. | ||||
| CVE-2025-45236 | 1 Dbsyncer Project | 1 Dbsyncer | 2025-11-18 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Edit Profile feature of DBSyncer v2.0.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Nickname parameter. | ||||