Total
39744 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-40626 | 1 Abantecart | 1 Abantecart | 2025-10-10 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/about_us?[XSS_PAYLOAD]". | ||||
| CVE-2025-40627 | 1 Abantecart | 1 Abantecart | 2025-10-10 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/eyes? [XSS_PAYLOAD]". | ||||
| CVE-2025-61183 | 2 Vaahcms, Webreinvent | 2 Vaahcms, Vaahcms | 2025-10-10 | 6.1 Medium |
| Cross Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php | ||||
| CVE-2025-9371 | 2 Muffingroup, Wordpress | 2 Betheme, Wordpress | 2025-10-10 | 6.4 Medium |
| The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_title’ parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-10240 | 1 Progress | 1 Flowmon | 2025-10-10 | 8.8 High |
| A vulnerability exists in the Progress Flowmon web application prior to version 12.5.5, whereby a user who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated session. | ||||
| CVE-2023-3384 | 1 Redhat | 1 Quay | 2025-10-10 | 5.4 Medium |
| A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS). | ||||
| CVE-2023-3971 | 1 Redhat | 7 Ansible Automation Controller, Ansible Automation Platform, Ansible Automation Platform Developer and 4 more | 2025-10-10 | 7.3 High |
| An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise. | ||||
| CVE-2024-4812 | 2 Katello Project, Redhat | 2 Katello, Satellite | 2025-10-10 | 4.8 Medium |
| A flaw was found in the Katello plugin for Foreman, where it is possible to store malicious JavaScript code in the "Description" field of a user. This code can be executed when opening certain pages, for example, Host Collections. | ||||
| CVE-2023-6134 | 1 Redhat | 9 Build Keycloak, Enterprise Linux, Keycloak and 6 more | 2025-10-09 | 4.6 Medium |
| A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. | ||||
| CVE-2025-9931 | 1 Jinher | 1 Jinher Oa | 2025-10-09 | 4.3 Medium |
| A vulnerability was detected in Jinher OA 1.0. Affected is an unknown function of the file /jc6/platform/sys/login!changePassWord.action of the component POST Request Handler. The manipulation of the argument Account results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. | ||||
| CVE-2025-51411 | 1 Vishalmathur | 1 Institute-of-current-students | 2025-10-09 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in Institute-of-Current-Students v1.0 via the email parameter in the /postquerypublic endpoint. The application fails to properly sanitize user input before reflecting it in the HTML response. This allows unauthenticated attackers to inject and execute arbitrary JavaScript code in the context of the victim's browser by tricking them into visiting a crafted URL or submitting a malicious form. Successful exploitation may lead to session hijacking, credential theft, or other client-side attacks. | ||||
| CVE-2025-40632 | 1 Icewarp | 1 Mail Server | 2025-10-09 | 6.1 Medium |
| Cross-site scripting (XSS) in Icewarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to modify the “lastLogin” cookie with malicious JavaScript code that will be executed when the page is rendered. | ||||
| CVE-2024-42200 | 1 Hcltech | 1 Bigfix Platform | 2025-10-09 | 5.4 Medium |
| HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input. | ||||
| CVE-2025-50927 | 1 Ehcp | 1 Easy Hosting Control Panel | 2025-10-09 | 6.3 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the List All FTP User Function in EHCP v20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via injecting a crafted payload into the ftpusername parameter. | ||||
| CVE-2025-51053 | 2 Vedo, Vedo Suite Project | 2 Vedo Suite, Vedo Suite | 2025-10-09 | 6.1 Medium |
| A Cross-site scripting (XSS) vulnerability in /api_vedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary Javascript or HTML code and potentially trigger code execution in victim's browser. | ||||
| CVE-2025-61769 | 1 Emlog | 1 Emlog | 2025-10-09 | 6.1 Medium |
| Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including version 2.5.22 allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. As an authenticated user it is possible to upload .svg file that contains JavaScript code that is later being executed. Commit 052f9c4226b2c0014bcd857fec47677340b185b1 fixes the issue. | ||||
| CVE-2025-40729 | 1 Oretnom23 | 1 Customer Support System | 2025-10-09 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) in /customer_support/index.php in Customer Support System v1.0, which allows remote attackers to execute arbitrary code via the page parameter. | ||||
| CVE-2025-11390 | 1 Phpgurukul | 1 Cyber Cafe Management System | 2025-10-09 | 4.3 Medium |
| A weakness has been identified in PHPGurukul Cyber Cafe Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /search.php of the component POST Parameter Handler. Executing manipulation of the argument searchdata can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-11425 | 1 Projectworlds | 1 Advanced Library Management System | 2025-10-09 | 2.4 Low |
| A vulnerability was identified in projectworlds Advanced Library Management System 1.0. Affected is an unknown function of the file /edit_admin.php. The manipulation of the argument firstname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Other parameters might be affected as well. | ||||
| CVE-2025-11421 | 2 Code-projects, Fabian | 2 Voting System, Voting System | 2025-10-09 | 3.5 Low |
| A flaw has been found in code-projects Voting System 1.0. The affected element is an unknown function of the file /admin/candidates_edit.php. This manipulation of the argument Firstname/Lastname/Platform causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||