Total
39546 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-43822 | 2025-10-08 | N/A | N/A | ||
| Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition's Name text field to (1) Payment Terms, or (2) the Delivery Term on the view order page. | |||||
| CVE-2025-43829 | 2025-10-08 | N/A | N/A | ||
| Stored cross-site scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a SVG file. | |||||
| CVE-2025-43830 | 2025-10-08 | N/A | N/A | ||
| Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form with a rich text type field. | |||||
| CVE-2025-43771 | 2025-10-08 | N/A | N/A | ||
| Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a user’s “First Name” text field, (2) a user’s “Middle Name” text field, (3) a user’s “Last Name” text field, (4) the “Other Reason” text field when flagging content, or (5) the name of the flagged content. | |||||
| CVE-2025-43823 | 2025-10-08 | N/A | N/A | ||
| Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field. | |||||
| CVE-2025-1826 | 2025-10-08 | N/A | 5.4 MEDIUM | ||
| IBM Engineering Requirements Management DOORS Next (IBM Jazz Foundation 7.0.2 to 7.0.2 iFix034, 7.0.3 to 7.0.3 iFix016, and 7.1.0 to 7.1.0 iFix004) is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users on the host network to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2025-3448 | 2025-10-08 | N/A | 6.1 MEDIUM | ||
| Reflected cross-site scripting (XSS) vulnerabilities exist in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session | |||||
| CVE-2025-43821 | 2025-10-08 | N/A | N/A | ||
| Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field. | |||||
| CVE-2025-57145 | 1 Phpgurukul | 1 Auto Taxi Stand Management System | 2025-10-08 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in the search-autootaxi.php endpoint of the ATSMS web application. The application fails to properly sanitize user input submitted through a form field, allowing an attacker to inject arbitrary JavaScript code. The malicious payload is stored in the backend and executed when a user or administrator accesses the affected report page. This allows attackers to exfiltrate session cookies, hijack user sessions, and perform unauthorized actions in the context of the victims browser. | |||||
| CVE-2025-0746 | 1 Thesamur | 1 Embedai | 2025-10-08 | N/A | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to craft a malicious URL leveraging the"/embedai/users/show/<SCRIPT>" endpoint to inject the malicious JavaScript code. This JavaScript code will be executed when a user opens the malicious URL. | |||||
| CVE-2025-0747 | 1 Thesamur | 1 Embedai | 2025-10-08 | N/A | 8.6 HIGH |
| A Stored Cross-Site Scripting vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to inject a malicious JavaScript code into a message that will be executed when a user opens the chat. | |||||
| CVE-2025-10758 | 1 Htmly | 1 Htmly | 2025-10-08 | 3.3 LOW | 2.4 LOW |
| A security vulnerability has been detected in htmly up to 3.1.0. The impacted element is an unknown function of the file /htmly/admin/field/post of the component Custom Field Handler. Such manipulation of the argument label leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-57407 | 1 Gp247 | 1 Gp247 | 2025-10-08 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Admin Log Viewer of S-Cart <=10.0.3 allows a remote authenticated attacker to inject arbitrary web script or HTML via a crafted User-Agent header. The script is executed in an administrator's browser when they view the security log page, which could lead to session hijacking or other malicious actions. | |||||
| CVE-2025-56304 | 1 Yzmcms | 1 Yzmcms | 2025-10-08 | N/A | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in YzmCMS thru 7.3 via the referer header in the register page. | |||||
| CVE-2025-3019 | 1 Knime | 1 Business Hub | 2025-10-08 | N/A | 7.2 HIGH |
| KNIME Business Hub is affected by several cross-site scripting vulnerabilities in its web pages. If a user clicks on a malicious link or opens a malicious web page, arbitrary Java Script may be executed with this user's permissions. This can lead to information loss and/or modification of existing data. The issues are caused by a bug https://github.com/Baroshem/nuxt-security/issues/610 in the widely used nuxt-security module. There are no viable workarounds therefore we strongly recommend to update to one of the following versions of KNIME Business Hub: * 1.13.3 or later * 1.12.4 or later | |||||
| CVE-2025-59415 | 1 Frappe | 1 Learning | 2025-10-08 | N/A | 4.6 MEDIUM |
| Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. | |||||
| CVE-2025-57452 | 1 Realme | 1 Clone Phone | 2025-10-08 | N/A | 6.1 MEDIUM |
| In realme BackupRestore app v15.1.12_2810c08_250314, improper URI scheme handling in com.coloros.pc.PcToolMainActivity allows local attackers to cause a crash and potential XSS via crafted ADB intents. | |||||
| CVE-2024-36453 | 1 Webmin | 2 Usermin, Webmin | 2025-10-08 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability exists in session_login.cgi of Webmin versions prior to 1.970 and Usermin versions prior to 1.820. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. As a result, a webpage may be altered or sensitive information such as a credential may be disclosed. | |||||
| CVE-2025-52653 | 1 Hcltech | 1 Dryice Myxalytics | 2025-10-08 | N/A | 7.6 HIGH |
| HCL MyXalytics product is affected by Cross Site Scripting vulnerability in the web application. This can allow the execution of unauthorized scripts, potentially resulting in unauthorized actions or access. | |||||
| CVE-2025-36248 | 1 Ibm | 1 Copy Services Manager | 2025-10-08 | N/A | 5.4 MEDIUM |
| IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||