Total
37565 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-54297 | 2025-07-25 | N/A | N/A | ||
| A stored XSS vulnerability in CComment component 5.0.0-6.1.14 for Joomla was discovered. | |||||
| CVE-2025-43486 | 2025-07-25 | N/A | N/A | ||
| A potential stored cross-site scripting vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The website allows user input to be stored and rendered without proper sanitization. HP has addressed the issue in the latest software update. | |||||
| CVE-2025-54141 | 2025-07-25 | N/A | 7.5 HIGH | ||
| ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4. | |||||
| CVE-2025-34141 | 2025-07-25 | N/A | N/A | ||
| A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the `SQLConverterServlet` component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1. | |||||
| CVE-2025-51464 | 2025-07-25 | N/A | 8.8 HIGH | ||
| Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js(). | |||||
| CVE-2025-54295 | 2025-07-25 | N/A | N/A | ||
| A Reflected XSS vulnerability in DJ-Reviews component 1.0-1.3.6 for Joomla was discovered. | |||||
| CVE-2025-51863 | 2025-07-25 | N/A | 6.1 MEDIUM | ||
| Self Cross Site Scripting (XSS) vulnerability in ChatGPT Unli (ChatGPTUnli.com) thru 2025-05-26 allows attackers to execute arbitrary code via a crafted SVG file to the chat interface. | |||||
| CVE-2025-41425 | 2025-07-25 | N/A | 8.1 HIGH | ||
| DuraComm SPM-500 DP-10iN-100-MU is vulnerable to a cross-site scripting attack. This could allow an attacker to prevent legitimate users from accessing the web interface. | |||||
| CVE-2025-4439 | 2025-07-25 | N/A | 7.7 HIGH | ||
| An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks. | |||||
| CVE-2025-43484 | 2025-07-25 | N/A | N/A | ||
| A potential reflected cross-site scripting vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The website does not validate or sanitize the user input before rendering it in the response. HP has addressed the issue in the latest software update. | |||||
| CVE-2025-51864 | 2025-07-25 | N/A | 6.5 MEDIUM | ||
| A reflected cross-site scripting (XSS) vulnerability exists in AIBOX LLM chat (chat.aibox365.cn) through 2025-05-27, allowing attackers to hijack accounts through stolen JWT tokens. | |||||
| CVE-2025-51859 | 2025-07-25 | N/A | 6.5 MEDIUM | ||
| Stored Cross-Site Scripting (XSS) vulnerability in Chaindesk thru 2025-05-26 in its agent chat component. An attacker can achieve arbitrary client-side script execution by crafting an AI agent whose system prompt instructs the underlying Large Language Model (LLM) to embed malicious script payloads (e.g., SVG-based XSS) into its chat responses. When a user interacts with such a malicious agent or accesses a direct link to a conversation containing an XSS payload, the script executes in the user's browser. Successful exploitation can lead to the theft of sensitive information, such as JWT session tokens, potentially resulting in account hijacking. | |||||
| CVE-2025-27930 | 2025-07-25 | N/A | 6.4 MEDIUM | ||
| Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor. | |||||
| CVE-2025-4968 | 2025-07-25 | N/A | 6.4 MEDIUM | ||
| The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Page Builder elements (Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart) in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5753 | 2025-07-25 | N/A | 6.4 MEDIUM | ||
| The Valuation Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-54296 | 2025-07-25 | N/A | N/A | ||
| A stored XSS vulnerability in ProFiles component 1.0-1.5.0 for Joomla was discovered. | |||||
| CVE-2024-53288 | 2025-07-25 | N/A | 5.9 MEDIUM | ||
| Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2025-4294 | 2025-07-25 | N/A | 4.8 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HotelRunner B2B allows Cross-Site Scripting (XSS).This issue affects B2B: before 04.06.2025. | |||||
| CVE-2025-51858 | 2025-07-25 | N/A | 6.1 MEDIUM | ||
| Self Cross-Site Scripting (XSS) vulnerability in ChatPlayground.ai through 2025-05-24, allows attackers to execute arbitrary code and gain sensitive information via a crafted SVG file contents sent through the chat component. | |||||
| CVE-2025-51862 | 2025-07-25 | N/A | 6.1 MEDIUM | ||
| Insecure Direct Object Reference (IDOR) vulnerability in TelegAI (telegai.com) thru 2025-05-26 in its chat component. An attacker can exploit this IDOR to tamper other users' conversation. Additionally, malicious contents and XSS payloads can be injected, leading to phishing attack, user spoofing and account hijacking via XSS. | |||||