Total
40019 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-60916 | 2025-11-24 | 5.4 Medium | ||
| A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the charge parameter. | ||||
| CVE-2025-10555 | 2025-11-24 | 8.7 High | ||
| A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in DELMIA Service Process Engineer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | ||||
| CVE-2025-13589 | 2025-11-24 | N/A | ||
| FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | ||||
| CVE-2025-55056 | 2 Maxum, Maxum Development Corporation | 2 Rumpus, Rumpus Ftp Server | 2025-11-24 | 4.8 Medium |
| Multiple CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | ||||
| CVE-2025-7633 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-24 | 7.3 High |
| Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report. | ||||
| CVE-2025-13178 | 2 Bdtask, Codecanyon | 2 Saleserp, Saleserp | 2025-11-24 | 3.5 Low |
| A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-62731 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 4.8 Medium |
| SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55. | ||||
| CVE-2025-62729 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55. | ||||
| CVE-2025-62297 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55. | ||||
| CVE-2025-62296 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | ||||
| CVE-2025-62295 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | ||||
| CVE-2025-13180 | 1 Bdtask | 2 Wholesale, Wholesale Inventory Control And Inventory Management System | 2025-11-24 | 3.5 Low |
| A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /edit_profile. Performing manipulation of the argument first_name/last_name results in basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-56526 | 1 Cinnamon | 1 Kotaemon | 2025-11-24 | 6.1 Medium |
| Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF. | ||||
| CVE-2025-64984 | 3 Apple, Kaspersky, Linux | 5 Macos, Endpoint Security, Industrial Cybersecurity and 2 more | 2025-11-24 | 6.1 Medium |
| Kaspersky has fixed a security issue in Kaspersky Endpoint Security for Linux (any version with anti-virus databases prior to 18.11.2025), Kaspersky Industrial CyberSecurity for Linux Nodes (any version with anti-virus databases prior to 18.11.2025), and Kaspersky Endpoint Security for Mac (12.0.0.325, 12.1.0.553, and 12.2.0.694 with anti-virus databases prior to 18.11.2025) that could have allowed a reflected XSS attack to be carried out by an attacker using phishing techniques. | ||||
| CVE-2025-0643 | 1 Narkom | 1 Pyxis Signage | 2025-11-24 | 7.2 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Stored XSS.This issue affects Pyxis Signage: through 31012025. | ||||
| CVE-2025-11884 | 1 Opentext | 1 Ucmdb | 2025-11-24 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an attacker has high level access to UCMDB to create or update data with malicious scripts This issue affects uCMDB: 24.4. | ||||
| CVE-2025-65095 | 1 Lookyloo | 1 Lookyloo | 2025-11-24 | N/A |
| Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to version 1.35.1, there is potential cross-site scripting on index and tree page. This issue has been patched in version 1.35.1. | ||||
| CVE-2025-12710 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 6.4 Medium |
| The Pet-Manager – Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-60737 | 1 Ilevia | 1 Eve X1 Server Firmware | 2025-11-24 | 6.1 Medium |
| Cross Site Scripting vulnerability in Ilevia EVE X1 Server Firmware Version<= 4.7.18.0.eden:Logic Version<=6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /index.php component | ||||
| CVE-2025-63848 | 1 Swi-prolog | 1 Swi-prolog | 2025-11-24 | 6.1 Medium |
| Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook. | ||||