Total
39848 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-48561 | 1 Adobe | 1 Experience Manager | 2025-09-19 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | ||||
| CVE-2023-48562 | 1 Adobe | 1 Experience Manager | 2025-09-19 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | ||||
| CVE-2022-34218 | 1 Adobe | 1 Experience Manager | 2025-09-19 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM. | ||||
| CVE-2025-34157 | 1 Coollabs | 1 Coolify | 2025-09-19 | 9.0 Critical |
| Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers. | ||||
| CVE-2025-4805 | 2025-09-19 | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS. This vulnerability requires an authenticated administrator session to a locally managed Firebox. This issue affects Fireware OS: from 12.0 through 12.11.1. | ||||
| CVE-2025-10146 | 2 Codename065, Wordpress | 2 Download Manager Plugin, Wordpress | 2025-09-19 | 6.1 Medium |
| The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-9969 | 2025-09-19 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Vizly Web Design Real Estate Packages allows Content Spoofing, CAPEC - 593 - Session Hijacking, CAPEC - 591 - Reflected XSS.This issue affects Real Estate Packages: before 5.1. | ||||
| CVE-2025-43861 | 1 Miraheze | 1 Managewiki | 2025-09-19 | 4.4 Medium |
| ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc. | ||||
| CVE-2019-25225 | 1 Apostrophecms | 1 Sanitize-html | 2025-09-19 | 6.1 Medium |
| `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code. | ||||
| CVE-2014-125128 | 1 Apostrophecms | 1 Sanitize-html | 2025-09-19 | 6.1 Medium |
| 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings. | ||||
| CVE-2024-25175 | 1 Kickdler | 1 Kickdler | 2025-09-19 | 6.1 Medium |
| An issue in Kickdler before v1.107.0 allows attackers to provide an XSS payload via a HTTP response splitting attack. | ||||
| CVE-2024-4216 | 2 Fedoraproject, Pgadmin | 2 Fedora, Pgadmin 4 | 2025-09-19 | 7.4 High |
| pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end. | ||||
| CVE-2025-9851 | 2 Appointmind, Wordpress | 2 Appointmind, Wordpress | 2025-09-19 | 6.4 Medium |
| The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-2404 | 1 Ubit | 1 Stoys | 2025-09-19 | 4.3 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ubit Information Technologies STOYS allows Cross-Site Scripting (XSS).This issue affects STOYS: from 2 before 20250916. | ||||
| CVE-2025-55107 | 1 Esri | 1 Portal For Arcgis | 2025-09-18 | 4.8 Medium |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | ||||
| CVE-2025-52074 | 1 Phpgurukul | 1 Online Shopping Portal | 2025-09-18 | 6.1 Medium |
| PHPGURUKUL Online Shopping Portal 2.1 is vulnerable to Cross Site Scripting (XSS) due to lack of input sanitization in the quantity parameter when adding a product to the cart. | ||||
| CVE-2025-44593 | 1 Halo | 1 Halo | 2025-09-18 | 6.1 Medium |
| Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13 | ||||
| CVE-2025-44595 | 1 Halo | 1 Halo | 2025-09-18 | 6.1 Medium |
| Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}. | ||||
| CVE-2025-58768 | 1 Thinkinai | 1 Deepchat | 2025-09-18 | 9.7 Critical |
| DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix. | ||||
| CVE-2025-10590 | 1 Portabilis | 1 I-educar | 2025-09-18 | 4.3 Medium |
| A security flaw has been discovered in Portabilis i-Educar up to 2.10. The impacted element is an unknown function of the file /intranet/educar_usuario_det.php. The manipulation of the argument ref_pessoa results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | ||||