Total
39743 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57874 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | 4.8 Medium |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | ||||
| CVE-2025-57873 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | 4.8 Medium |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | ||||
| CVE-2025-57871 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | 4.8 Medium |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | ||||
| CVE-2025-54089 | 1 Absolute | 1 Secure Access | 2025-10-16 | 3.4 Low |
| CVE-2025-54089 is a cross-site scripting vulnerability in versions of secure access prior to 14.10. Attackers with administrative access to the console can interfere with another administrator’s access to the console. The attack complexity is low; there are no attack requirements. Privileges required to execute the attack are high and the victim must actively participate in the attack sequence. There is no impact to confidentiality or availability, there is a low impact to integrity. | ||||
| CVE-2025-56807 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-10-16 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in FairSketch RISE Ultimate Project Manager & CRM 3.9.4 allows an administrator to store a JavaScript payload using the file explorer in the admin dashboard when creating new folders. | ||||
| CVE-2025-11146 | 1 Apt-cacher-ng Project | 1 Apt-cacher-ng | 2025-10-16 | 5.4 Medium |
| Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows an attacker to execute malicious scripts (XSS) in the web management application. The vulnerability is caused by improper handling of GET inputs included in the URL in “/acng-report.html”. | ||||
| CVE-2025-11147 | 1 Apt-cacher-ng Project | 1 Apt-cacher-ng | 2025-10-16 | 5.4 Medium |
| Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows malicious scripts (XSS) to be executed in “/html/<filename>.html”. | ||||
| CVE-2025-55996 | 2 Rakuten, Viber | 2 Viber, Desktop | 2025-10-16 | 6.3 Medium |
| Viber Desktop 25.6.0 is vulnerable to HTML Injection via the text parameter of the message compose/forward interface | ||||
| CVE-2025-56795 | 1 Mealie | 1 Mealie | 2025-10-16 | 9 Critical |
| Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS. | ||||
| CVE-2025-45585 | 1 Audi | 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware | 2025-10-16 | 5.4 Medium |
| Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the wifi_sta_ssid or wifi_ap_ssid parameters. | ||||
| CVE-2025-10367 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2025-10-16 | 3.5 Low |
| A vulnerability has been found in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this vulnerability is an unknown functionality of the file /htdocs/cardEdit.php. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-60304 | 2 Code-projects, Fabian | 2 Simple Scheduling System, Simple Scheduling System | 2025-10-16 | 6.1 Medium |
| code-projects Simple Scheduling System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Subject Description field. | ||||
| CVE-2025-10368 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2025-10-16 | 3.5 Low |
| A vulnerability was found in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this issue is some unknown functionality of the file /htdocs/manageFilesFolders.php. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10369 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2025-10-16 | 3.5 Low |
| A vulnerability was determined in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This affects an unknown part of the file /htdocs/cardRegisterNew.php. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-13902 | 1 Huang-yk | 1 Student-manage | 2025-10-15 | 2.4 Low |
| A vulnerability, which was classified as problematic, was found in huang-yk student-manage 1.0. This affects an unknown part of the component Edit a Student Information Page. The manipulation of the argument Class leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-13213 | 1 Singmr | 1 Houserent | 2025-10-15 | 3.5 Low |
| A vulnerability classified as problematic was found in SingMR HouseRent 1.0. This vulnerability affects unknown code of the file /toAdminUpdateHousePage?hID=30. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-56515 | 1 Suisuijiang | 1 Fiora | 2025-10-15 | 8.8 High |
| File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles. | ||||
| CVE-2025-56243 | 1 Puneethreddyhc | 2 Event Management, Event Management System | 2025-10-15 | 6.1 Medium |
| A Cross-Site Scripting (XSS) vulnerability was found in the register.php page of PuneethReddyHC Event Management System 1.0, where the event_id GET parameter is improperly handled. An attacker can craft a malicious URL to execute arbitrary JavaScript in the victim s browser by injecting code into this parameter. | ||||
| CVE-2025-56382 | 2 Lion-coders, Lioncoders | 2 Salepro Pos, Salepro Pos | 2025-10-15 | 6.1 Medium |
| A stored Cross-site scripting (XSS) vulnerability exists in the Customer Management Module of LionCoders SalePro POS 5.4.8. An authenticated attacker can inject arbitrary web script or HTML via the 'Customer Name' parameter when creating or editing customer profiles. This malicious input is improperly sanitized before storage and subsequent rendering, leading to script execution in the browsers of users who view the affected customer details. | ||||
| CVE-2025-46545 | 1 Sherparpa | 1 Sherpa Orchestrator | 2025-10-15 | 4.4 Medium |
| In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires. | ||||