Total
39541 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-40632 | 1 Icewarp | 1 Mail Server | 2025-10-09 | N/A | 6.1 MEDIUM |
| Cross-site scripting (XSS) in Icewarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to modify the “lastLogin” cookie with malicious JavaScript code that will be executed when the page is rendered. | |||||
| CVE-2024-42200 | 1 Hcltech | 1 Bigfix Platform | 2025-10-09 | N/A | 5.4 MEDIUM |
| HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input. | |||||
| CVE-2025-50927 | 1 Ehcp | 1 Easy Hosting Control Panel | 2025-10-09 | N/A | 6.3 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the List All FTP User Function in EHCP v20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via injecting a crafted payload into the ftpusername parameter. | |||||
| CVE-2025-51053 | 1 Vedo Suite Project | 1 Vedo Suite | 2025-10-09 | N/A | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in /api_vedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary Javascript or HTML code and potentially trigger code execution in victim's browser. | |||||
| CVE-2025-54571 | 1 Owasp | 1 Modsecurity | 2025-10-09 | N/A | 6.1 MEDIUM |
| ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12. | |||||
| CVE-2025-61769 | 1 Emlog | 1 Emlog | 2025-10-09 | N/A | 6.1 MEDIUM |
| Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including version 2.5.22 allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. As an authenticated user it is possible to upload .svg file that contains JavaScript code that is later being executed. Commit 052f9c4226b2c0014bcd857fec47677340b185b1 fixes the issue. | |||||
| CVE-2025-40729 | 1 Oretnom23 | 1 Customer Support System | 2025-10-09 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) in /customer_support/index.php in Customer Support System v1.0, which allows remote attackers to execute arbitrary code via the page parameter. | |||||
| CVE-2025-11390 | 1 Phpgurukul | 1 Cyber Cafe Management System | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A weakness has been identified in PHPGurukul Cyber Cafe Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /search.php of the component POST Parameter Handler. Executing manipulation of the argument searchdata can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-11425 | 1 Projectworlds | 1 Advanced Library Management System | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A vulnerability was identified in projectworlds Advanced Library Management System 1.0. Affected is an unknown function of the file /edit_admin.php. The manipulation of the argument firstname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Other parameters might be affected as well. | |||||
| CVE-2025-11421 | 1 Fabian | 1 Voting System | 2025-10-09 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in code-projects Voting System 1.0. The affected element is an unknown function of the file /admin/candidates_edit.php. This manipulation of the argument Firstname/Lastname/Platform causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. | |||||
| CVE-2025-11433 | 1 Itsourcecode | 1 Leave Management System | 2025-10-09 | 4.0 MEDIUM | 3.5 LOW |
| A security flaw has been discovered in itsourcecode Leave Management System 1.0. This impacts the function redirect of the file /module/employee/controller.php?action=reset of the component Query Parameter Handler. Performing manipulation of the argument ID results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-11435 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch. | |||||
| CVE-2025-11437 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector. | |||||
| CVE-2025-61183 | 1 Webreinvent | 1 Vaahcms | 2025-10-09 | N/A | 6.1 MEDIUM |
| Cross Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php | |||||
| CVE-2025-60313 | 1 Rems | 1 Link Status Checker | 2025-10-09 | N/A | 6.1 MEDIUM |
| Sourcecodester Link Status Checker 1.0 is vulnerable to a Cross-Site Scripting (XSS) in the Enter URLs to check input field. This allows a remote attacker to execute arbitrary code. | |||||
| CVE-2025-60318 | 1 Mayurik | 1 Pet Grooming Management Software | 2025-10-09 | N/A | 6.1 MEDIUM |
| SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the fname (First Name) and lname (Last Name) fields. | |||||
| CVE-2025-11485 | 1 Remyandrade | 1 Student Grades Management System | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function add_user of the file /admin.php of the component Manage Users Page. This manipulation of the argument first_name/last_name causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-51462 | 1 Infiniflow | 1 Ragflow | 2025-10-09 | N/A | 6.1 MEDIUM |
| Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw. | |||||
| CVE-2025-61788 | 1 Apereo | 1 Opencast | 2025-10-09 | N/A | 5.4 MEDIUM |
| Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. The vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users. To inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users. This issue is fixed in Opencast 17.8 and 18.2. | |||||
| CVE-2025-10240 | 2025-10-09 | N/A | 8.8 HIGH | ||
| A vulnerability exists in the Progress Flowmon web application prior to version 12.5.5, whereby a user who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated session. | |||||