Vulnerabilities (CVE)

Filtered by CWE-79
Total 38724 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-25225 1 Apostrophecms 1 Sanitize-html 2025-09-19 N/A 6.1 MEDIUM
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.
CVE-2014-125128 1 Apostrophecms 1 Sanitize-html 2025-09-19 N/A 6.1 MEDIUM
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings.
CVE-2024-25175 1 Kickdler 1 Kickdler 2025-09-19 N/A 6.1 MEDIUM
An issue in Kickdler before v1.107.0 allows attackers to provide an XSS payload via a HTTP response splitting attack.
CVE-2024-4216 2 Fedoraproject, Pgadmin 2 Fedora, Pgadmin 4 2025-09-19 N/A 7.4 HIGH
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.
CVE-2025-9851 2025-09-19 N/A 6.4 MEDIUM
The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-2404 2025-09-19 N/A 4.3 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ubit Information Technologies STOYS allows Cross-Site Scripting (XSS).This issue affects STOYS: from 2 before 20250916.
CVE-2025-52074 1 Phpgurukul 1 Online Shopping Portal 2025-09-18 N/A 6.1 MEDIUM
PHPGURUKUL Online Shopping Portal 2.1 is vulnerable to Cross Site Scripting (XSS) due to lack of input sanitization in the quantity parameter when adding a product to the cart.
CVE-2025-10372 1 Portabilis 1 I-educar 2025-09-18 4.0 MEDIUM 3.5 LOW
A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /intranet/educar_modulo_cad.php. This manipulation of the argument nm_tipo/descricao causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.
CVE-2025-10373 1 Portabilis 1 I-educar 2025-09-18 4.0 MEDIUM 3.5 LOW
A security vulnerability has been detected in Portabilis i-Educar up to 2.10. The affected element is an unknown function of the file /intranet/educar_turma_tipo_cad.php. Such manipulation of the argument nm_tipo leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
CVE-2025-44593 1 Halo 1 Halo 2025-09-18 N/A 6.1 MEDIUM
Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13
CVE-2025-44595 1 Halo 1 Halo 2025-09-18 N/A 6.1 MEDIUM
Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}.
CVE-2025-58768 1 Thinkinai 1 Deepchat 2025-09-18 N/A 9.6 CRITICAL
DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix.
CVE-2025-10590 1 Portabilis 1 I-educar 2025-09-18 5.0 MEDIUM 4.3 MEDIUM
A security flaw has been discovered in Portabilis i-Educar up to 2.10. The impacted element is an unknown function of the file /intranet/educar_usuario_det.php. The manipulation of the argument ref_pessoa results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
CVE-2025-10591 1 Portabilis 1 I-educar 2025-09-18 4.0 MEDIUM 3.5 LOW
A weakness has been identified in Portabilis i-Educar up to 2.10. This affects an unknown function of the file /intranet/educar_funcao_cad.php of the component Editar Função Page. This manipulation of the argument abreviatura/tipoacao causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
CVE-2025-10605 1 Portabilis 1 I-educar 2025-09-18 5.0 MEDIUM 4.3 MEDIUM
A security flaw has been discovered in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /agenda_preferencias.php. The manipulation of the argument tipoacao results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be exploited.
CVE-2025-10606 1 Portabilis 1 I-educar 2025-09-18 5.0 MEDIUM 4.3 MEDIUM
A weakness has been identified in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /module/Configuracao/ConfiguracaoMovimentoGeral. This manipulation of the argument tipoacao causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
CVE-2025-10411 1 Emiloi 1 E-logbook With Health Monitoring System For Covid-19 2025-09-18 5.0 MEDIUM 4.3 MEDIUM
A vulnerability was detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0. This issue affects some unknown processing of the file /stc-log-keeper/check_profile.php of the component POST Request Handler. The manipulation of the argument profile_id results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
CVE-2024-0083 2 Microsoft, Nvidia 2 Windows, Chatrtx 2025-09-18 N/A 6.5 MEDIUM
NVIDIA ChatRTX for Windows contains a vulnerability in the UI, where an attacker can cause a cross-site scripting error by network by running malicious scripts in users' browsers. A successful exploit of this vulnerability might lead to code execution, denial of service, and information disclosure.
CVE-2025-57538 1 Proxmox 1 Virtual Environment 2025-09-18 N/A 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability in the HTTP Proxy field within the Datacenter configuration panel of Proxmox Virtual Environment (PVE) 8.4 allows an authenticated user to inject malicious input. The input is stored and executed in the context of other users' browsers when they view the affected configuration page. This can lead to arbitrary JavaScript execution.
CVE-2025-57539 1 Proxmox 1 Virtual Environment 2025-09-18 N/A 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability in the U2F Origin field of the Datacenter configuration in Proxmox Virtual Environment (PVE) 8.4 allows authenticated users to store malicious input. The payload is rendered unsafely in the Web UI and executed when viewed by other users, potentially leading to session hijacking or other attacks.