Total
40035 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2011-10036 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-17 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2025-63640 | 2 Rems, Sourcecodester | 2 Medicine Reminder App, Medicine Reminder App | 2025-11-17 | 6.1 Medium |
| Sourcecodester Medicine Reminder App v1.0 is vulnerable to Cross-Site Scripting (XSS) in the "Medicine Name" and "Notes (Optional)" fields when creating an "Upcoming Reminder", allowing an attacker to inject arbitrary potentially malicious HTML/JavaScript code that executes in the victim's browser upon clicking the "Save Reminder" button. | ||||
| CVE-2025-58964 | 1 Wordpress | 1 Wordpress | 2025-11-17 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Enzy enzy allows Reflected XSS.This issue affects Enzy: from n/a through < 1.6.4. | ||||
| CVE-2025-58638 | 2 E-plugins, Wordpress | 2 Institutions Directory, Wordpress | 2025-11-17 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Institutions Directory institutions-directory allows Reflected XSS.This issue affects Institutions Directory: from n/a through <= 1.3.3. | ||||
| CVE-2025-59556 | 1 Wordpress | 1 Wordpress | 2025-11-17 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup GoStore gostore allows Reflected XSS.This issue affects GoStore: from n/a through < 1.6.4. | ||||
| CVE-2025-9980 | 1 Opensolution | 1 Quick.cms | 2025-11-17 | 4.8 Medium |
| QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-9981 | 1 Opensolution | 1 Quick.cms | 2025-11-17 | 4.8 Medium |
| QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-58465 | 1 Qnap | 3 Download Station, Qts, Quts Hero | 2025-11-17 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later | ||||
| CVE-2025-41101 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in'/projects/save'. | ||||
| CVE-2025-41102 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/events/save'. | ||||
| CVE-2025-41103 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'reply_message' in '/messages/reply'. | ||||
| CVE-2025-41104 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'custom_field_1' in '/estimate_requests/save_estimate_request'. | ||||
| CVE-2025-41105 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/tickets/save'. | ||||
| CVE-2025-41106 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'first_name' in '/clients/save_contact/'. | ||||
| CVE-2025-11189 | 1 Synchroweb | 1 Kiwire | 2025-11-17 | 7.3 High |
| The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for Javascript execution. | ||||
| CVE-2025-60378 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | 8.1 High |
| Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients. | ||||
| CVE-2025-13097 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-17 | 5.4 Medium |
| Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-63645 | 1 Ph7software | 1 Ph7-social-dating-cms | 2025-11-15 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the application's message system. Unsanitized message content submitted by one user is persisted by the server and later rendered in another user's Inbox view without appropriate context-aware encoding. As a result, attacker-controlled content executes in the recipient's browser context when the Inbox message is viewed. | ||||
| CVE-2025-9647 | 1 Mtons | 1 Mblog | 2025-11-14 | 4.3 Medium |
| A weakness has been identified in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/role/list. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-54168 | 1 Qnap | 1 Qulog Center | 2025-11-14 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.923 ( 2025/08/27 ) and later | ||||