Export limit exceeded: 339475 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 44417 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44417 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12101 | 1 Netscaler | 2 Adc, Gateway | 2025-11-12 | N/A |
| Cross-Site Scripting (XSS) in NetScaler ADC and NetScaler Gateway when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | ||||
| CVE-2025-26395 | 1 Solarwinds | 1 Observability Self-hosted | 2025-11-12 | 7.1 High |
| SolarWinds Observability Self-Hosted was susceptible to a cross-site scripting (XSS) vulnerability due to an unsanitized field in the URL. The attack requires authentication using an administrator-level account and user interaction is required. | ||||
| CVE-2025-30511 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 8.8 High |
| An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant. | ||||
| CVE-2025-61417 | 1 Tastyigniter | 1 Tastyigniter | 2025-11-12 | 8.8 High |
| Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to perform unauthorized actions such as modifying the admin account credentials. | ||||
| CVE-2025-54806 | 2 Growi, Weseek | 2 Growi, Growi | 2025-11-12 | 6.1 Medium |
| GROWI v4.2.7 and earlier contains a cross-site scripting vulnerability in the page alert function. If a user accesses a crafted URL while logged in to the affected product, an arbitrary script may be executed on the user's web browser. | ||||
| CVE-2025-54167 | 1 Qnap | 1 Notification Center | 2025-11-12 | N/A |
| A cross-site scripting (XSS) vulnerability has been reported to affect Notification Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: Notification Center 2.1.0.3443 and later Notification Center 1.9.2.3163 and later Notification Center 3.0.0.3466 and later | ||||
| CVE-2025-12486 | 1 Heimdalldata | 1 Database Proxy | 2025-11-12 | N/A |
| Heimdall Data Database Proxy Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Heimdall Data Database Proxy. Minimal user interaction is required to exploit this vulnerability. The specific flaw exists within the handling of the database event logs. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to interact with the application in the context of the target user. Was ZDI-CAN-24755. | ||||
| CVE-2025-12520 | 2 Jgwhite33, Wordpress | 2 Wp Thumbtack Review Slider, Wordpress | 2025-11-12 | 4 Medium |
| The WP Airbnb Review Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2 due to insufficient URL validation that allows users to pull in a malicious HTML file. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-12064 | 2 F1logic, Wordpress | 2 Wpsocial Auto Publish, Wordpress | 2025-11-12 | 6.1 Medium |
| The WP2Social Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-12193 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 6.1 Medium |
| The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-12837 | 3 Athemes, Elementor, Wordpress | 3 Athemes Addons For Elementor, Elementor, Wordpress | 2025-11-12 | 6.4 Medium |
| The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12112 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 6.4 Medium |
| The Insert Headers and Footers Code – HT Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via adding scripts in all versions up to, and including, 1.1.6 due to insufficient capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12125 | 2 Linksoftware, Wordpress | 2 Html Forms, Wordpress | 2025-11-12 | 4.4 Medium |
| The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-12643 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 6.4 Medium |
| The Saphali LiqPay for donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saphali_liqpay' shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2022-35155 | 1 Phpgurukul | 1 Bus Pass Management System | 2025-11-12 | 6.1 Medium |
| Bus Pass Management System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the searchdata parameter. | ||||
| CVE-2023-46595 | 1 Algosec | 1 Fireflow | 2025-11-12 | 5.9 Medium |
| Net-NTLM leak via HTML injection in FireFlow VisualFlow workflow editor allows an attacker to obtain victim’s domain credentials and Net-NTLM hash which can lead to relay domain attacks. Fixed in A32.20 (b570 or above), A32.50 (b390 or above) | ||||
| CVE-2023-41537 | 1 Phpjabbers | 1 Business Directory Script | 2025-11-11 | 6.1 Medium |
| phpjabbers Business Directory Script 3.2 is vulnerable to Cross Site Scripting (XSS) via the keyword parameter. | ||||
| CVE-2023-36375 | 1 Phpgurukul | 1 Hostel Management System | 2025-11-11 | 5.4 Medium |
| Cross Site Scripting vulnerability in Hostel Management System v2.1 allows an attacker to execute arbitrary code via a crafted payload to the Guardian name, Guardian relation, complimentary address, city, permanent address, and city parameters in the Book Hostel & Room Details page. | ||||
| CVE-2021-27129 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2025-11-11 | 5.4 Medium |
| CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter. | ||||
| CVE-2024-10451 | 1 Redhat | 3 Build Keycloak, Jboss Enterprise Application Platform, Red Hat Single Sign On | 2025-11-11 | 5.9 Medium |
| A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2. | ||||