Total
38533 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55409 | 1 Foxcms | 1 Foxcms | 2025-09-09 | N/A | 8.8 HIGH |
| FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code. | |||||
| CVE-2025-55420 | 1 Foxcms | 1 Foxcms | 2025-09-09 | N/A | 8.8 HIGH |
| A Reflected Cross Site Scripting (XSS) vulnerability was found in /index.php in FoxCMS v1.2.6. When a crafted script is sent via a GET request, it is reflected unsanitized into the HTML response. This permits execution of arbitrary JavaScript code when a logged-in user submits the malicious input. | |||||
| CVE-2025-9717 | 1 Zoneland | 1 O2oa | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was identified in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_organization_assemble_control/jaxrs/unit/ of the component Personal Profile Page. Such manipulation of the argument name/shortName/distinguishedName/pinyin/pinyinInitial/levelName leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-9718 | 1 Zoneland | 1 O2oa | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
| A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-9719 | 1 Zoneland | 1 O2oa | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
| A weakness has been identified in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_processplatform_assemble_designer/jaxrs/script of the component Personal Profile Page. Executing manipulation of the argument name/alias/description/applicationName can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-52217 | 1 Selectzero | 1 Selectzero | 2025-09-09 | N/A | 5.4 MEDIUM |
| SelectZero Data Observability Platform before 2025.5.2 is vulnerable to HTML Injection. Legacy UI fields improperly handle user-supplied input, allowing injection of arbitrary HTML. | |||||
| CVE-2025-56432 | 1 Nagios | 1 Nagios Xi | 2025-09-09 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data. | |||||
| CVE-2025-52184 | 1 Helpy.io | 1 Helpy | 2025-09-09 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Helpy.io v.2.8.0 allows a remote attacker to escalate privileges via the New Topic Ticket funtion. | |||||
| CVE-2025-50976 | 1 Ipfire | 1 Ipfire | 2025-09-09 | N/A | 6.1 MEDIUM |
| IPFire 2.29 DNS management interface (dns.cgi) fails to properly sanitize user-supplied input in the NAMESERVER, REMARK, and TLS_HOSTNAME query parameters, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2025-50975 | 1 Ipfire | 1 Ipfire | 2025-09-09 | N/A | 5.4 MEDIUM |
| IPFire 2.29 web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr, allowing an authenticated administrator to inject persistent JavaScript. This stored XSS payload is executed whenever another admin views the firewall rules page, enabling session hijacking, unauthorized actions within the interface, or further internal pivoting. Exploitation requires only high-privilege GUI access, and the complexity of the attack is low. | |||||
| CVE-2025-50985 | 1 Diskoverdata | 1 Diskover | 2025-09-09 | N/A | 5.6 MEDIUM |
| diskover-web v2.3.0 Community Edition is vulnerable to multiple reflected cross-site scripting (XSS) flaws in its web interface. Unsanitized GET parameters including maxage, maxindex, index, path, q (query), and doctype are directly echoed into the HTML response, allowing attackers to inject and execute arbitrary JavaScript when a victim visits a maliciously crafted URL. | |||||
| CVE-2025-50986 | 1 Diskoverdata | 1 Diskover | 2025-09-09 | N/A | 5.6 MEDIUM |
| diskover-web v2.3.0 Community Edition suffers from multiple stored cross-site scripting (XSS) vulnerabilities in its administrative settings interface. Various configuration fields such as ES_HOST, ES_INDEXREFRESH, ES_PORT, ES_SCROLLSIZE, ES_TRANSLOGSIZE, ES_TRANSLOGSYNCINT, EXCLUDES_FILES, FILE_TYPES[], INCLUDES_DIRS, INCLUDES_FILES, and TIMEZONE do not properly sanitize user-supplied input. Malicious payloads submitted via these parameters are persisted in the application and executed whenever an administrator views or edits the settings page. | |||||
| CVE-2025-50978 | 1 Gitblit | 1 Gitblit | 2025-09-09 | N/A | 6.1 MEDIUM |
| In Gitblit v1.7.1, a reflected cross-site scripting (XSS) vulnerability exists in the way repository path names are handled. By injecting a specially crafted path payload an attacker can cause arbitrary JavaScript to execute when a victim views the manipulated URL. This flaw stems from insufficient input sanitization of filename elements. | |||||
| CVE-2025-30875 | 2025-09-09 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexandre Froger WP Weixin allows Stored XSS. This issue affects WP Weixin: from n/a through 1.3.16. | |||||
| CVE-2025-50977 | 1 Gitblit | 1 Gitblit | 2025-09-09 | N/A | 6.1 MEDIUM |
| A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the summary endpoint as well as POST requests to specific Wicket interface endpoints, though the GET method provides easier weaponization. This vulnerability enables authenticated administrators to execute arbitrary client-side code, potentially leading to session hijacking, data theft, or further privilege escalation attacks. | |||||
| CVE-2025-51967 | 1 Oranbyte | 1 School Management System | 2025-09-09 | N/A | 6.1 MEDIUM |
| A Reflected Cross-site Scripting (XSS) vulnerability exists in the themeSet.php file of ProjectsAndPrograms School Management System 1.0. The application fails to sanitize user-supplied input in the theme POST parameter, allowing an attacker to inject and execute arbitrary JavaScript in a victim's browser. | |||||
| CVE-2025-56236 | 1 Formcms | 1 Formcms | 2025-09-09 | N/A | 6.1 MEDIUM |
| FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible via a public URL. When a privileged user accesses the file, the script executes in their browser context. | |||||
| CVE-2025-56761 | 1 Usememos | 1 Memos | 2025-09-09 | N/A | 5.4 MEDIUM |
| Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin. | |||||
| CVE-2025-20280 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2025-09-09 | N/A | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | |||||
| CVE-2025-10065 | 1 Facebook-kimmymatillano | 1 Point Of Sale System | 2025-09-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A weakness has been identified in itsourcecode POS Point of Sale System 1.0. Impacted is an unknown function of the file /inventory/main/vendors/datatables/unit_testing/templates/dom_data_th.php. This manipulation of the argument scripts causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | |||||