Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2864 | 1 Arteche | 2 Satech Bcu, Satech Bcu Firmware | 2025-10-10 | N/A | 6.1 MEDIUM |
| SaTECH BCU in its firmware version 2.1.3 allows an attacker to inject malicious code into the legitimate website owning the affected device, once the cookie is set. This attack only impacts the victim's browser (reflected XSS). | |||||
| CVE-2025-60445 | 1 Xunruicms | 1 Xunruicms | 2025-10-10 | N/A | 6.1 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability has been discovered in XunRuiCMS version 4.7.1. The vulnerability exists due to insufficient validation of SVG file uploads in the dayrui/Fcms/Library/Upload.php component, allowing attackers to inject malicious JavaScript code that executes when the uploaded file is viewed. | |||||
| CVE-2025-2865 | 1 Arteche | 2 Satech Bcu, Satech Bcu Firmware | 2025-10-10 | N/A | 6.1 MEDIUM |
| SaTECH BCU, in its firmware version 2.1.3, could allow XSS attacks and other malicious resources to be stored on the web server. An attacker with some knowledge of the web application could send a malicious request to the victim users. Through this request, the victims would interpret the code (resources) stored on another malicious website owned by the attacker. | |||||
| CVE-2025-60298 | 1 Xxyopen | 1 Novel-plus | 2025-10-10 | N/A | 5.4 MEDIUM |
| Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored in the database and executed when other users view the affected book chapter. | |||||
| CVE-2025-60299 | 1 Xxyopen | 1 Novel-plus | 2025-10-10 | N/A | 5.4 MEDIUM |
| Novel-Plus with 5.2.0 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /book/addCommentReply endpoint. An authenticated user can inject malicious JavaScript through the replyContent parameter when replying to a book comment. The payload is stored in the database and is executed in other users’ browsers when they view the affected comment thread. | |||||
| CVE-2025-60314 | 1 Configuroweb | 1 Simple Web Inventory System | 2025-10-10 | N/A | 5.4 MEDIUM |
| Configuroweb Sistema Web de Inventario 1.0 is vulnerable to a Stored Cross-Site Scripting (XSS) due to the lack of input sanitization on the product name parameter (Nombre:Producto) allowing an authenticated attacker to inject malicious payloads and execute arbitrary JavaScript. | |||||
| CVE-2025-60312 | 1 Rems | 1 Markdown To Html Converter | 2025-10-10 | N/A | 6.1 MEDIUM |
| Sourcecodester Markdown to HTML Converter v1.0 is vulnerable to a Cross-Site Scripting (XSS) in the "Markdown Input" field, allowing a remote attacker to inject arbitrary HTML/JavaScript code that executes in the victim's browser upon clicking the "Convert to HTML" button. | |||||
| CVE-2025-60967 | 1 Endruntechnologies | 2 Sonoma D12, Sonoma D12 Firmware | 2025-10-10 | N/A | 7.3 HIGH |
| Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0076-000 Ver 4.00 allows attackers to gain sensitive information. | |||||
| CVE-2024-40626 | 1 Getoutline | 1 Outline | 2025-10-10 | N/A | 7.3 HIGH |
| Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting (XSS) vulnerability in Outline. An authenticated user can create a document containing a malicious JavaScript payload. When other users view this document, the malicious Javascript can execute in the origin of Outline. Outline includes CSP rules to prevent third-party code execution, however in the case of self-hosting and having your file storage on the same domain as Outline a malicious payload can be uploaded as a file attachment and bypass those CSP restrictions. This issue has been addressed in release version 0.77.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-0972 | 1 Zenvia | 1 Movidesk | 2025-10-10 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic has been found in Zenvia Movidesk up to 25.01.22. This affects an unknown part of the component New Ticket Handler. The manipulation of the argument subject leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 25.01.22.245a473c54 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-0971 | 1 Zenvia | 1 Movidesk | 2025-10-10 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in Zenvia Movidesk up to 25.01.22. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /Account/EditProfile of the component Profile Editing. The manipulation of the argument username leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 25.01.22.245a473c54 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2024-2135 | 1 Bdtask | 1 Hospital Automanager | 2025-10-10 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in Bdtask Hospita AutoManager up to 20240223 and classified as problematic. This issue affects some unknown processing of the file /hospital_activities/birth/form of the component Hospital Activities Page. The manipulation of the argument Description with the input <img src=a onerror=alert(1)> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255497 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-40626 | 1 Abantecart | 1 Abantecart | 2025-10-10 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/about_us?[XSS_PAYLOAD]". | |||||
| CVE-2025-40627 | 1 Abantecart | 1 Abantecart | 2025-10-10 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/eyes? [XSS_PAYLOAD]". | |||||
| CVE-2025-9931 | 1 Jinher | 1 Jinher Oa | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in Jinher OA 1.0. Affected is an unknown function of the file /jc6/platform/sys/login!changePassWord.action of the component POST Request Handler. The manipulation of the argument Account results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2025-51411 | 1 Vishalmathur | 1 Institute-of-current-students | 2025-10-09 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in Institute-of-Current-Students v1.0 via the email parameter in the /postquerypublic endpoint. The application fails to properly sanitize user input before reflecting it in the HTML response. This allows unauthenticated attackers to inject and execute arbitrary JavaScript code in the context of the victim's browser by tricking them into visiting a crafted URL or submitting a malicious form. Successful exploitation may lead to session hijacking, credential theft, or other client-side attacks. | |||||
| CVE-2025-40632 | 1 Icewarp | 1 Mail Server | 2025-10-09 | N/A | 6.1 MEDIUM |
| Cross-site scripting (XSS) in Icewarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to modify the “lastLogin” cookie with malicious JavaScript code that will be executed when the page is rendered. | |||||
| CVE-2024-42200 | 1 Hcltech | 1 Bigfix Platform | 2025-10-09 | N/A | 5.4 MEDIUM |
| HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input. | |||||
| CVE-2025-50927 | 1 Ehcp | 1 Easy Hosting Control Panel | 2025-10-09 | N/A | 6.3 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the List All FTP User Function in EHCP v20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via injecting a crafted payload into the ftpusername parameter. | |||||
| CVE-2025-51053 | 1 Vedo Suite Project | 1 Vedo Suite | 2025-10-09 | N/A | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in /api_vedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary Javascript or HTML code and potentially trigger code execution in victim's browser. | |||||