Total
37734 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1456 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-07-08 | N/A | 6.4 MEDIUM |
| The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-53599 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
| Whale browser for iOS before 3.9.1.4206 allow an attacker to execute malicious scripts in the browser via a crafted javascript scheme. | |||||
| CVE-2025-53488 | 2025-07-08 | N/A | 6.1 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - WikiHiero Extension allows Stored XSS.This issue affects Mediawiki - WikiHiero Extension: from 1.43.X before 1.43.2. | |||||
| CVE-2025-53484 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
| User-controlled inputs are improperly escaped in: * VotePage.php (poll option input) * ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names) This allows attackers to inject JavaScript and compromise user sessions under certain conditions. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | |||||
| CVE-2025-53482 | 2025-07-08 | N/A | 6.1 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - IPInfo Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - IPInfo Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | |||||
| CVE-2025-22659 | 1 Themeisle | 1 Orbit Fox | 2025-07-08 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through 2.10.44. | |||||
| CVE-2024-58128 | 1 Misp | 1 Misp | 2025-07-08 | N/A | 5.5 MEDIUM |
| In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. | |||||
| CVE-2024-58129 | 1 Misp | 1 Misp | 2025-07-08 | N/A | 5.5 MEDIUM |
| In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. | |||||
| CVE-2025-47289 | 1 Phoenixcart | 1 Ce Phoenix Cart | 2025-07-08 | N/A | 6.3 MEDIUM |
| CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker — potentially leading to account takeover. Version 1.1.0.3 fixes the issue. | |||||
| CVE-2025-0667 | 1 Universityofcalifornia | 1 Boinc Server | 2025-07-08 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: through 1.4.7. | |||||
| CVE-2025-0666 | 1 Universityofcalifornia | 1 Boinc Server | 2025-07-08 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: through 1.4.7. | |||||
| CVE-2025-53368 | 2025-07-08 | N/A | 8.6 HIGH | ||
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This issue has been patched in version 3.4.0. | |||||
| CVE-2025-53489 | 2025-07-08 | N/A | 5.6 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - GoogleDocs4MW Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GoogleDocs4MW Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | |||||
| CVE-2025-53369 | 2025-07-08 | N/A | 8.6 HIGH | ||
| Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 4.0.1. | |||||
| CVE-2025-53370 | 2025-07-08 | N/A | 8.6 HIGH | ||
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 3.4.0. | |||||
| CVE-2025-53490 | 2025-07-08 | N/A | 5.6 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - CampaignEvents Extension: from 1.43.X before 1.43.2. | |||||
| CVE-2025-53500 | 2025-07-08 | N/A | 5.6 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MassEditRegex Extension allows Stored XSS.This issue affects Mediawiki - MassEditRegex Extension: from 1.39.X before 1.39.12, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | |||||
| CVE-2025-45938 | 2025-07-08 | N/A | 5.4 MEDIUM | ||
| Akeles Out of Office Assistant for Jira 4.0.1 is vulberable to Cross Site Scripting (XSS) via the Jira fullName parameter. | |||||
| CVE-2025-49247 | 2025-07-08 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cmoreira Team Showcase allows DOM-Based XSS. This issue affects Team Showcase: from n/a through n/a. | |||||
| CVE-2025-27326 | 2025-07-08 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Video Gallery Block – Display your videos as a gallery in a professional way allows Stored XSS. This issue affects Video Gallery Block – Display your videos as a gallery in a professional way: from n/a through 1.1.0. | |||||