Total
40656 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-24794 | 1 Kentico | 1 Xperience | 2025-12-19 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in Kentico before 12.0.75. | ||||
| CVE-2025-67712 | 2025-12-19 | 4.7 Medium | ||
| There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired and unsupported. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability. | ||||
| CVE-2025-67344 | 1 Jishenghua | 1 Jsherp | 2025-12-19 | 4.6 Medium |
| jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint. | ||||
| CVE-2025-67341 | 1 Jishenghua | 1 Jsherp | 2025-12-19 | 4.6 Medium |
| jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users. | ||||
| CVE-2025-14046 | 1 Github | 1 Enterprise Server | 2025-12-19 | 6.1 Medium |
| An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21. | ||||
| CVE-2025-66574 | 2 Compassplus, Compassplustechnologies | 2 Tranzaxis, Tranzaxis | 2025-12-19 | 5.4 Medium |
| TranzAxis 3.2.41.10.26 allows authenticated users to inject cross-site scripting via the `Open Object in Tree` endpoint, allowing attackers to steal session cookies and potentially escalate privileges. | ||||
| CVE-2025-14962 | 2025-12-19 | 4.3 Medium | ||
| A flaw has been found in code-projects Simple Stock System 1.0. The impacted element is an unknown function of the file /market/chatuser.php. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. | ||||
| CVE-2025-34425 | 1 Mailenable | 1 Mailenable | 2025-12-19 | 6.1 Medium |
| MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the WindowContext parameter of /Mondo/lang/sys/Forms/MAI/compose.aspx. The WindowContext value is not properly sanitized when processed via a GET request and is reflected within a <script> context in the JavaScript variable window.location, allowing an attacker to break out of the existing script and inject arbitrary JavaScript. A remote attacker can supply a crafted payload that terminates the existing ProcessContextSwitchResult() function, inserts attacker-controlled script, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link or attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | ||||
| CVE-2025-14449 | 2025-12-19 | 6.4 Medium | ||
| The BA Book Everything plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's babe-search-form shortcode in all versions up to, and including, 1.8.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-67495 | 1 Zitadel | 1 Zitadel | 2025-12-19 | 8 High |
| ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1. | ||||
| CVE-2024-27091 | 1 Geosolutionsgroup | 1 Geonode | 2025-12-19 | 6.1 Medium |
| GeoNode is a geospatial content management system, a platform for the management and publication of geospatial data. An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. The applications cookies are set securely, but it is possible to retrieve a victims CSRF token and issue a request to change another user's email address to perform a full account takeover. Due to the script element not impacting the CORS policy, requests will succeed. This vulnerability is fixed in 4.2.3. | ||||
| CVE-2024-5739 | 1 Linecorp | 1 Line | 2025-12-19 | 6.1 Medium |
| The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app browser. The in-app browser is usually opened by tapping on URLs contained in chat messages, and for the attack to be successful, the victim must trigger a click event on a malicious iframe. If an iframe embedded in any website can be controlled by an attacker, this vulnerability could be exploited to capture or alter content displayed in the top frame, as well as user session information. This vulnerability affects LINE client for iOS versions below 14.9.0 and does not affect other LINE clients such as LINE client for Android. Please update LINE client for iOS to version 14.9.0 or higher. | ||||
| CVE-2025-41695 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in dyn_conn.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-9787 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-12-19 | 6.1 Medium |
| Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view. | ||||
| CVE-2025-68385 | 1 Elastic | 1 Kibana | 2025-12-19 | 7.2 High |
| Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation. | ||||
| CVE-2025-67163 | 1 Simplemachines | 3 Simple Machine Forum, Simple Machines Forum, Smf | 2025-12-19 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter. | ||||
| CVE-2022-50680 | 1 Kentico | 1 Xperience | 2025-12-19 | 4.6 Medium |
| A stored cross-site scripting vulnerability in Kentico Xperience allows administration users to inject malicious scripts via email marketing templates. Attackers can exploit this vulnerability to execute malicious scripts that could compromise user browsers and steal sensitive information. | ||||
| CVE-2022-50685 | 1 Kentico | 1 Xperience | 2025-12-19 | 4.6 Medium |
| A stored cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via XML file uploads as page attachments or metafiles. Attackers can upload malicious XML files that enable stored XSS, allowing malicious scripts to execute in users' browsers. | ||||
| CVE-2023-53936 | 1 Tuzitio | 1 Camaleon Cms | 2025-12-19 | 5.4 Medium |
| Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript. | ||||
| CVE-2024-58319 | 1 Kentico | 1 Xperience | 2025-12-19 | 5.4 Medium |
| A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this vulnerability to execute malicious scripts in administrative users' browsers. | ||||