Total
40035 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63713 | 2 Remyandrade, Sourcecodester | 2 Matching Type Test, Matchmaster | 2025-11-18 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability in SourceCodester "MatchMaster" 1.0 allows remote attackers to inject arbitrary web script or HTML via crafted input in the custom test creation feature. The vulnerability exists because the application fails to properly sanitize user-supplied input in test titles and matching pair items before rendering them in the DOM during test execution. | ||||
| CVE-2025-12869 | 1 Aenrich | 2 A+hrd, A\+hrd | 2025-11-18 | 4.8 Medium |
| The a+HRD developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing remote attackers with administrator privileges to inject persistent JavaScript codes that are executed in users' browsers upon page load. | ||||
| CVE-2025-63834 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2025-11-18 | 4.1 Medium |
| A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the ssid parameter of the wireless settings. Remote attackers can inject malicious payloads that execute when any user visits the router's homepage. | ||||
| CVE-2025-63709 | 2 Chuck24, Sourcecodester | 2 Simple To-do List System, Simple Todo List System | 2025-11-18 | 4.6 Medium |
| A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the "Add Tasks" text input. An authenticated user can submit HTML/JavaScript that is not correctly sanitized or encoded on output. The injected script is stored and later rendered in the browser of any user who views the task, allowing execution of arbitrary script in the context of the victim's browser. | ||||
| CVE-2025-12823 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 6.4 Medium |
| The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-64197 | 2 Sizam Design, Wordpress | 2 Rehub, Wordpress | 2025-11-18 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam Rehub rehub-theme allows Stored XSS.This issue affects Rehub: from n/a through < 19.9.9.1. | ||||
| CVE-2025-8605 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 6.4 Medium |
| The Gutenify – Visual Site Builder Blocks & Site Templates. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8609 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 6.4 Medium |
| The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11868 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 6.4 Medium |
| The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `everviz` shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a `<div id=...>` from the `type` and `hash` attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13182 | 1 Pojoin | 1 H3blog | 2025-11-18 | 3.5 Low |
| A vulnerability was identified in pojoin h3blog 1.0. The impacted element is an unknown function of the file /admin/cms/category/addtitle. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-63725 | 1 Meeco | 1 Svx Portal | 2025-11-18 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in SVX Portal 2.7A via the id parameter to Recivers.php. | ||||
| CVE-2025-13181 | 1 Pojoin | 1 H3blog | 2025-11-18 | 3.5 Low |
| A vulnerability was determined in pojoin h3blog 1.0. The affected element is an unknown function of the file /admin/cms/material/add. Executing manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-13232 | 1 Projectsend | 1 Projectsend | 2025-11-18 | 3.5 Low |
| A flaw has been found in projectsend up to r1720. Impacted is an unknown function of the component File Editor/Custom Download Aliases. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version r1945 is recommended to address this issue. Patch name: 334da1ea39cb12f6b6e98dd2f80bb033e0c7b845. It is advisable to upgrade the affected component. | ||||
| CVE-2025-64758 | 1 Owasp | 1 Dependency-track Frontend | 2025-11-18 | 4.8 Medium |
| @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6. | ||||
| CVE-2025-40834 | 2 Mendix, Siemens | 2 Mendix, Mendix | 2025-11-18 | 5.7 Medium |
| A vulnerability has been identified in Mendix RichText (All versions >= V4.0.0 < V4.6.1). Affected widget does not properly neutralize the input. This could allow an attacker to execute cross-site scripting attacks. | ||||
| CVE-2022-44759 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 4.6 Medium |
| Improper sanitization of SVG files in HCL Leap allows client-side script injection in deployed applications. | ||||
| CVE-2024-30147 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 6.5 Medium |
| Multiple vectors in HCL Leap allow client-side script injection in the authoring environment and deployed applications. | ||||
| CVE-2024-30114 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 3.7 Low |
| Insufficient sanitization in HCL Leap allows client-side script injection in the authoring environment. | ||||
| CVE-2024-30113 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 6.3 Medium |
| Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget. | ||||
| CVE-2023-37534 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 7.1 High |
| Insufficient URI protocol whitelist in HCL Leap allows script injection through query parameters. | ||||