Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5532 | 1 Microfocus | 1 Operations Agent | 2025-10-14 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Operations Agent. The XSS vulnerability could allow an attacker with local admin permissions to manipulate the content of the internal status page of the Agent on the local system. This issue affects Operations Agent: 12.20, 12.21, 12.22, 12.23, 12.24, 12.25, 12.26. | |||||
| CVE-2024-28804 | 1 Italtel | 1 I-mcs Nfv | 2025-10-14 | N/A | 7.1 HIGH |
| An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Stored Cross-site scripting (XSS) can occur via POST. | |||||
| CVE-2025-23366 | 1 Redhat | 1 Hal Management Console | 2025-10-14 | N/A | 6.5 MEDIUM |
| A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. | |||||
| CVE-2024-28803 | 1 Italtel | 1 I-mcs Nfv | 2025-10-14 | N/A | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Italtel S.p.A. i-MCS NFV v.12.1.0-20211215 allows unauthenticated remote attackers to inject arbitrary web script or HTML into HTTP/POST parameter | |||||
| CVE-2025-1534 | 1 Payara | 1 Payara | 2025-10-14 | N/A | 5.4 MEDIUM |
| CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2. | |||||
| CVE-2025-56683 | 2025-10-14 | N/A | 9.6 CRITICAL | ||
| A cross-site scripting (XSS) vulnerability in the component /app/marketplace.html of Logseq v0.10.9 allows attackers to execute arbitrary code via injecting arbitrary Javascript into a crafted README.md file. | |||||
| CVE-2024-45389 | 1 Pagefind | 1 Pagefind | 2025-10-14 | N/A | 6.4 MEDIUM |
| Pagefind, a fully static search library, initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads. This information is gathered by looking up the value of `document.currentScript.src`. Prior to Pagefind version 1.1.1, it is possible to "clobber" this lookup with otherwise benign HTML on the page. This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to a live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the cross-site scripting vector. Pagefind has tightened this resolution in version 1.1.1 by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind. | |||||
| CVE-2025-46102 | 1 Beakon | 1 Learning Management System Sharable Content Object Reference Model | 2025-10-14 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version V.5.4.3 allows a remote attacker to obtain sensitive information via the URL parameter | |||||
| CVE-2025-45960 | 1 Tawk | 1 Tawk.to | 2025-10-14 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in tawk.to Live Chat v.1.6.1 allows a remote attacker to execute arbitrary code via the web application stores and displays user-supplied input without proper input validation or encoding | |||||
| CVE-2025-45778 | 1 Languagesloth | 1 The Language Sloth | 2025-10-14 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in The Language Sloth Web Application v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Description text field. | |||||
| CVE-2025-9723 | 1 Portabilis | 1 I-educar | 2025-10-13 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in Portabilis i-Educar up to 2.10. This affects an unknown function of the file /intranet/educar_tipo_regime_cad.php. Performing manipulation of the argument nm_tipo results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. | |||||
| CVE-2025-9722 | 1 Portabilis | 1 I-educar | 2025-10-13 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in Portabilis i-Educar up to 2.10. The impacted element is an unknown function of the file /intranet/educar_tipo_ocorrencia_disciplinar_cad.php. Such manipulation of the argument nm_tipo/descricao leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9721 | 1 Portabilis | 1 I-educar | 2025-10-13 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in Portabilis i-Educar up to 2.10. The affected element is an unknown function of the file /module/FormulaMedia/edit. This manipulation of the argument nome/formulaMedia causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2025-9720 | 1 Portabilis | 1 I-educar | 2025-10-13 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was detected in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/TabelaArredondamento/edit of the component Cadastrar tabela de arredondamento Page. The manipulation of the argument Nome results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. | |||||
| CVE-2025-58430 | 1 Nadh | 1 Listmonk | 2025-10-10 | N/A | 6.1 MEDIUM |
| listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available. | |||||
| CVE-2025-25191 | 1 Group-office | 1 Group Office | 2025-10-10 | N/A | 5.4 MEDIUM |
| Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100. | |||||
| CVE-2024-4993 | 1 Ansanwan | 1 Siadmin | 2025-10-10 | N/A | 6.3 MEDIUM |
| Vulnerability in SiAdmin 1.1 that allows XSS via the /show.php query parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and thereby steal their cookie session credentials. | |||||
| CVE-2024-5413 | 1 Phpmybackuppro | 1 Phpmybackuppro | 2025-10-10 | N/A | 7.1 HIGH |
| A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/scheduled.php, all parameters. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details. | |||||
| CVE-2024-5414 | 1 Phpmybackuppro | 1 Phpmybackuppro | 2025-10-10 | N/A | 7.1 HIGH |
| A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/get_file.php, 'view' parameter. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details. | |||||
| CVE-2024-5415 | 1 Phpmybackuppro | 1 Phpmybackuppro | 2025-10-10 | N/A | 7.1 HIGH |
| A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/backup.php, 'comments' and 'db' parameters. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details. | |||||