Total
2982 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-3600 | 1 Ays-pro | 1 Poll Maker | 2025-05-28 | N/A | 7.2 HIGH |
| The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page. | |||||
| CVE-2025-43860 | 2025-05-28 | N/A | 7.6 HIGH | ||
| OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation and editing privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the (1) Text Box fields of Address, Address Line 2, Postal Code and City fields and (2) Drop Down menu options of Address Use, State and Country of the Additional Addresses section of the Contact tab in Patient Demographics. The injected script can execute in two scenarios: (1) dynamically during form input, and (2) when the form data is later loaded for editing. Version 7.0.3.4 contains a patch for the issue. | |||||
| CVE-2025-32794 | 2025-05-28 | N/A | 7.6 HIGH | ||
| OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the First and Last Name fields during patient registration. This code is later executed when viewing the patient's encounter under Orders → Procedure Orders. Version 7.0.3.4 contains a patch for the issue. | |||||
| CVE-2022-30578 | 1 Tibco | 1 Ebx Add-ons | 2025-05-28 | N/A | 8.0 HIGH |
| The Web Server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 5.4.1 and below. | |||||
| CVE-2024-47378 | 1 Wpcom | 1 Wpcom Member | 2025-05-27 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPCOM WPCOM Member allows Reflected XSS.This issue affects WPCOM Member: from n/a through 1.5.4. | |||||
| CVE-2024-43156 | 1 Addonmaster | 1 Post Grid Master | 2025-05-27 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AddonMaster Post Grid Master allows Reflected XSS.This issue affects Post Grid Master: from n/a through 3.4.10. | |||||
| CVE-2024-37222 | 1 Averta | 1 Master Slider | 2025-05-27 | N/A | 7.1 HIGH |
| Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through 3.10.0. | |||||
| CVE-2023-44852 | 1 Cobham | 2 Sailor 600 Vsat Ku, Sailor 600 Vsat Ku Firmware | 2025-05-27 | N/A | 8.2 HIGH |
| Cross Site Scripting (XSS) vulnerability in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the c_set_traps_decode function in the acu_web file. | |||||
| CVE-2020-25730 | 1 Zoneminder | 1 Zoneminder | 2025-05-27 | N/A | 8.2 HIGH |
| Cross Site Scripting (XSS) vulnerability in ZoneMinder before version 1.34.21, allows remote attackers execute arbitrary code, escalate privileges, and obtain sensitive information via PHP_SELF component in classic/views/download.php. | |||||
| CVE-2025-1561 | 1 Apppresser | 1 Apppresser | 2025-05-26 | N/A | 7.2 HIGH |
| The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when logging is enabled that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-22284 | 1 Eniture | 1 Ltl Freight Quotes | 2025-05-23 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology LTL Freight Quotes – Unishippers Edition allows Reflected XSS. This issue affects LTL Freight Quotes – Unishippers Edition: from n/a through 2.5.8. | |||||
| CVE-2025-0924 | 1 Melapress | 1 Wp Activity Log | 2025-05-23 | N/A | 7.2 HIGH |
| The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-13626 | 1 Vruiz | 1 Vr-frases | 2025-05-23 | N/A | 7.1 HIGH |
| The VR-Frases (collect & share quotes) WordPress plugin through 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2022-45064 | 1 Apache | 1 Sling | 2025-05-23 | N/A | 8.0 HIGH |
| The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine >= 2.14.0 and enable the "Check Content-Type overrides" configuration option. | |||||
| CVE-2024-13352 | 1 Alwayscurious | 1 Legull | 2025-05-23 | N/A | 7.1 HIGH |
| The Legull WordPress plugin through 1.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2025-4123 | 2025-05-23 | N/A | 7.6 HIGH | ||
| A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | |||||
| CVE-2025-47458 | 2025-05-23 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in B2itech B2i Investor Tools allows Reflected XSS. This issue affects B2i Investor Tools: from n/a through 1.0.7.9. | |||||
| CVE-2025-47680 | 2025-05-23 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-tidy-tags allows Reflected XSS. This issue affects xili-tidy-tags: from n/a through 1.12.06. | |||||
| CVE-2025-46456 | 2025-05-23 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason Theme Blvd Sliders allows Reflected XSS. This issue affects Theme Blvd Sliders: from n/a through 1.2.5. | |||||
| CVE-2025-48245 | 2025-05-23 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fullworks Quick Contact Form allows Reflected XSS. This issue affects Quick Contact Form : from n/a through 8.2.1. | |||||