Total
35377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32951 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website. | |||||
| CVE-2025-32960 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The CUBA REST API add-on performs operations on data and entities. Prior to version 7.2.7, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 7.2.7. A workaround is provided on the Jmix documentation website. | |||||
| CVE-2025-46226 | 2025-04-23 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ferranfg MPL-Publisher allows Stored XSS. This issue affects MPL-Publisher: from n/a through 2.18.0. | |||||
| CVE-2025-1054 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-46253 | 2025-04-23 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit allows Stored XSS. This issue affects GutenKit: from n/a through 2.2.2. | |||||
| CVE-2025-46238 | 2025-04-23 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer List Last Changes allows Stored XSS. This issue affects List Last Changes: from n/a through 1.2.1. | |||||
| CVE-2025-46254 | 2025-04-23 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder allows Stored XSS. This issue affects Visual Composer Website Builder: from n/a through 45.10.0. | |||||
| CVE-2025-23175 | 2025-04-23 | N/A | 6.1 MEDIUM | ||
| Multiple XSS (CWE-79) | |||||
| CVE-2025-3814 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The Tax Switch for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class-name’ parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-46240 | 2025-04-23 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Download Counter allows Stored XSS. This issue affects Simple Download Counter: from n/a through 2.2. | |||||
| CVE-2025-46236 | 2025-04-23 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms allows Stored XSS. This issue affects HTML Forms: from n/a through 1.5.2. | |||||
| CVE-2025-46229 | 2025-04-23 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Israpil Textmetrics allows Stored XSS. This issue affects Textmetrics: from n/a through 3.6.2. | |||||
| CVE-2025-46235 | 2025-04-23 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 2.0. | |||||
| CVE-2025-32961 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 1.1.1. A workaround is provided on the Jmix documentation website. | |||||
| CVE-2025-3458 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerability. | |||||
| CVE-2025-43952 | 2025-04-23 | N/A | 6.1 MEDIUM | ||
| A cross-site scripting (reflected XSS) vulnerability was found in Mettler Toledo FreeWeight.Net Web Reports Viewer 8.4.0 (440). It allows an attacker to inject malicious scripts via the IW_SessionID_ parameter. | |||||
| CVE-2025-2703 | 2025-04-23 | N/A | 6.8 MEDIUM | ||
| The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. | |||||
| CVE-2023-51306 | 1 Phpjabbers | 1 Event Ticketing System | 2025-04-23 | N/A | 5.4 MEDIUM |
| PHPJabbers Event Ticketing System v1.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) in the "name, title" parameters. | |||||
| CVE-2023-51312 | 1 Phpjabbers | 1 Restaurant Booking System | 2025-04-23 | N/A | 5.4 MEDIUM |
| PHPJabbers Restaurant Booking System v3.0 is vulnerable to Reflected Cross-Site Scripting (XSS) in Reservations menu, Schedule section date parameter. | |||||
| CVE-2024-46494 | 1 Typecho | 1 Typecho | 2025-04-23 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Typecho v1.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into Name parameter under a comment for an Article. | |||||