Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-8920 | 1 Portabilis | 1 I-diario | 2025-09-10 | 3.3 LOW | 2.4 LOW |
| A vulnerability was identified in Portabilis i-Diario 1.6. Affected by this vulnerability is an unknown functionality of the file /dicionario-de-termos-bncc of the component DicionĂ¡rio de Termos BNCC Page. The manipulation of the argument Planos de ensino leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-55296 | 1 Librenms | 1 Librenms | 2025-09-10 | N/A | 5.5 MEDIUM |
| librenms is a community-based GPL-licensed network monitoring system. A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the template is rendered, potentially compromising other admin accounts. This vulnerability is fixed in 25.8.0. | |||||
| CVE-2025-9680 | 1 Zoneland | 1 O2oa | 2025-09-10 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_portal_assemble_designer/jaxrs/page of the component Personal Profile Page. Performing manipulation results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-9681 | 1 Zoneland | 1 O2oa | 2025-09-10 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_program_center/jaxrs/agent of the component Personal Profile Page. Executing manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-9682 | 1 Zoneland | 1 O2oa | 2025-09-10 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_cms_assemble_control/jaxrs/design/appdict of the component Personal Profile Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-9683 | 1 Zoneland | 1 O2oa | 2025-09-10 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_cms_assemble_control/jaxrs/form of the component Personal Profile Page. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-50584 | 1 Daycloud | 1 Studentmanage | 2025-09-09 | N/A | 4.8 MEDIUM |
| StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Teacher module. | |||||
| CVE-2025-50582 | 1 Daycloud | 1 Studentmanage | 2025-09-09 | N/A | 4.8 MEDIUM |
| StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Course module. | |||||
| CVE-2025-50583 | 1 Daycloud | 1 Studentmanage | 2025-09-09 | N/A | 4.8 MEDIUM |
| StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Student module. | |||||
| CVE-2025-55409 | 1 Foxcms | 1 Foxcms | 2025-09-09 | N/A | 8.8 HIGH |
| FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code. | |||||
| CVE-2025-55420 | 1 Foxcms | 1 Foxcms | 2025-09-09 | N/A | 8.8 HIGH |
| A Reflected Cross Site Scripting (XSS) vulnerability was found in /index.php in FoxCMS v1.2.6. When a crafted script is sent via a GET request, it is reflected unsanitized into the HTML response. This permits execution of arbitrary JavaScript code when a logged-in user submits the malicious input. | |||||
| CVE-2025-9717 | 1 Zoneland | 1 O2oa | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was identified in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_organization_assemble_control/jaxrs/unit/ of the component Personal Profile Page. Such manipulation of the argument name/shortName/distinguishedName/pinyin/pinyinInitial/levelName leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-9718 | 1 Zoneland | 1 O2oa | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
| A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-9719 | 1 Zoneland | 1 O2oa | 2025-09-09 | 4.0 MEDIUM | 3.5 LOW |
| A weakness has been identified in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_processplatform_assemble_designer/jaxrs/script of the component Personal Profile Page. Executing manipulation of the argument name/alias/description/applicationName can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-52217 | 1 Selectzero | 1 Selectzero | 2025-09-09 | N/A | 5.4 MEDIUM |
| SelectZero Data Observability Platform before 2025.5.2 is vulnerable to HTML Injection. Legacy UI fields improperly handle user-supplied input, allowing injection of arbitrary HTML. | |||||
| CVE-2025-56432 | 1 Nagios | 1 Nagios Xi | 2025-09-09 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data. | |||||
| CVE-2025-52184 | 1 Helpy.io | 1 Helpy | 2025-09-09 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Helpy.io v.2.8.0 allows a remote attacker to escalate privileges via the New Topic Ticket funtion. | |||||
| CVE-2025-50976 | 1 Ipfire | 1 Ipfire | 2025-09-09 | N/A | 6.1 MEDIUM |
| IPFire 2.29 DNS management interface (dns.cgi) fails to properly sanitize user-supplied input in the NAMESERVER, REMARK, and TLS_HOSTNAME query parameters, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2025-50975 | 1 Ipfire | 1 Ipfire | 2025-09-09 | N/A | 5.4 MEDIUM |
| IPFire 2.29 web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr, allowing an authenticated administrator to inject persistent JavaScript. This stored XSS payload is executed whenever another admin views the firewall rules page, enabling session hijacking, unauthorized actions within the interface, or further internal pivoting. Exploitation requires only high-privilege GUI access, and the complexity of the attack is low. | |||||
| CVE-2025-50985 | 1 Diskoverdata | 1 Diskover | 2025-09-09 | N/A | 5.6 MEDIUM |
| diskover-web v2.3.0 Community Edition is vulnerable to multiple reflected cross-site scripting (XSS) flaws in its web interface. Unsanitized GET parameters including maxage, maxindex, index, path, q (query), and doctype are directly echoed into the HTML response, allowing attackers to inject and execute arbitrary JavaScript when a victim visits a maliciously crafted URL. | |||||