Total
40656 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63949 | 2025-12-19 | 6.1 Medium | ||
| A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php. | ||||
| CVE-2025-64355 | 2 Crocoblock, Wordpress | 2 Jetelements For Elementor, Wordpress | 2025-12-19 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through 2.7.12. | ||||
| CVE-2025-64675 | 1 Microsoft | 1 Cosmos Db | 2025-12-19 | 8.3 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-64677 | 1 Microsoft | 1 Office Out Of-box Experience | 2025-12-19 | 8.2 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-66500 | 2025-12-19 | 6.3 Medium | ||
| A stored cross-site scripting (XSS) vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received. | ||||
| CVE-2025-66501 | 2025-12-19 | 6.3 Medium | ||
| A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties. | ||||
| CVE-2025-66520 | 2025-12-19 | 6.3 Medium | ||
| A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list is rendered. | ||||
| CVE-2025-66521 | 2025-12-19 | 6.3 Medium | ||
| A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded. | ||||
| CVE-2025-66522 | 2025-12-19 | 6.3 Medium | ||
| A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded. | ||||
| CVE-2024-58285 | 1 Chyrp | 1 Chyrp | 2025-12-19 | 5.4 Medium |
| Chyrp 2.5.2 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into post titles. Attackers can craft payloads in the title field that will execute when the post is viewed by other users, potentially stealing session cookies or performing client-side attacks. | ||||
| CVE-2021-42193 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | 6.1 Medium |
| nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires. | ||||
| CVE-2025-41749 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41747 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41746 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41748 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41750 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41751 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41752 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-65589 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | 6.1 Medium |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality. | ||||
| CVE-2025-65590 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | 5.4 Medium |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area. | ||||