Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9921 | 1 Code-projects | 1 Pos Pharmacy System | 2025-09-09 | 3.3 LOW | 2.4 LOW |
| A weakness has been identified in code-projects POS Pharmacy System 1.0. Affected is an unknown function of the file /main/products.php. This manipulation of the argument product_code/gen_name/product_name/supplier causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-55422 | 1 Foxcms | 1 Foxcms | 2025-09-09 | N/A | 8.8 HIGH |
| In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus. | |||||
| CVE-2025-55618 | 1 Hyundai | 1 Navigation | 2025-09-09 | N/A | 7.3 HIGH |
| In Hyundai Navigation App STD5W.EUR.HMC.230516.afa908d, an attacker can inject HTML payloads in the profile name field in navigation app which then get rendered. | |||||
| CVE-2025-34521 | 1 Arcserve | 1 Udp | 2025-09-09 | N/A | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by another user, execute arbitrary JavaScript in the victim’s browser. Successful exploitation may lead to session hijacking, credential theft, or other client-side impacts. The vulnerability requires user interaction and occurs within a shared browser context. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue. | |||||
| CVE-2025-55579 | 1 Solidinvoice | 1 Solidinvoice | 2025-09-09 | N/A | 5.4 MEDIUM |
| SolidInvoice version 2.3.7 is vulnerable to a Stored Cross-Site Scripting (XSS) issue in the Tax Rates functionality. The vulnerability is fixed in version 2.3.8. | |||||
| CVE-2025-55580 | 1 Solidinvoice | 1 Solidinvoice | 2025-09-09 | N/A | 5.4 MEDIUM |
| SolidInvoice version 2.3.7 is vulnerable to a stored cross-site scripting (XSS) issue in the Clients module. An authenticated attacker can inject JavaScript that executes in other users' browsers when the Clients page is viewed. The vulnerability is fixed in version 2.3.8. | |||||
| CVE-2025-23207 | 1 Katex | 1 Katex | 2025-09-08 | N/A | 6.3 MEDIUM |
| KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands, forbid inputs containing the substring `"\\htmlData"` and sanitize HTML output from KaTeX. | |||||
| CVE-2025-10088 | 1 Rems | 1 Personal Time Tracker | 2025-09-08 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was detected in SourceCodester Time Tracker 1.0. The affected element is an unknown function of the file /index.html. Performing manipulation of the argument project-name results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2025-45805 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-09-08 | N/A | 7.6 HIGH |
| In phpgurukul Doctor Appointment Management System 1.0, an authenticated doctor user can inject arbitrary JavaScript code into their profile name. This payload is subsequently rendered without proper sanitization, when a user visits the website and selects the doctor to book an appointment. | |||||
| CVE-2025-55175 | 1 Opensolution | 1 Quick.cms | 2025-09-08 | N/A | 6.1 MEDIUM |
| QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-54544 | 1 Opensolution | 1 Quick.cms | 2025-09-08 | N/A | 4.8 MEDIUM |
| QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-54172 | 1 Opensolution | 1 Quick.cms | 2025-09-08 | N/A | 4.8 MEDIUM |
| QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any JS scripts into the page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-54175 | 1 Opensolution | 1 Quick.cms.ext | 2025-09-08 | N/A | 6.1 MEDIUM |
| QuickCMS.EXT is vulnerable to Reflected XSS in sFileName parameter in thumbnail viewer functionality. An attacker can craft a malicious URL that results in arbitrary JavaScript execution in the victim's browser when opened. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-54540 | 1 Opensolution | 1 Quick.cms | 2025-09-08 | N/A | 6.1 MEDIUM |
| QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-54543 | 1 Opensolution | 1 Quick.cms | 2025-09-08 | N/A | 4.8 MEDIUM |
| QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2011-4923 | 1 Backuppc | 1 Backuppc | 2025-09-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0, 3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the num parameter in a view action to index.cgi, related to the log file viewer, a different vulnerability than CVE-2011-3361. | |||||
| CVE-2011-3361 | 1 Backuppc | 1 Backuppc | 2025-09-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in CGI/Browse.pm in BackupPC 3.2.0 and possibly other versions before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a browse action to index.cgi. | |||||
| CVE-2011-5081 | 1 Backuppc | 1 Backuppc | 2025-09-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in RestoreFile.pm in BackupPC 3.1.0, 3.2.1, and possibly other earlier versions allows remote attackers to inject arbitrary web script or HTML via the share parameter in a RestoreFile action to index.cgi. | |||||
| CVE-2025-9929 | 1 Fabian | 1 Responsive Blog Site | 2025-09-08 | 3.3 LOW | 2.4 LOW |
| A weakness has been identified in code-projects Responsive Blog Site 1.0. This affects an unknown function of the file blogs_view.php. Executing manipulation of the argument product_code/gen_name/product_name/supplier can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-9923 | 1 Campcodes | 1 Sales And Inventory System | 2025-09-08 | 5.0 MEDIUM | 4.3 MEDIUM |
| A flaw has been found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /index.php. Executing manipulation of the argument page can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. | |||||