Total
40170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10555 | 1 Dassault | 1 Delmia Service Process Engineer | 2025-12-01 | 8.7 High |
| A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in DELMIA Service Process Engineer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | ||||
| CVE-2024-22048 | 1 Gov.uk | 1 Govuk Tech Docs | 2025-11-29 | 6.1 Medium |
| govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page. | ||||
| CVE-2025-34032 | 1 Geoffrowland | 1 Jmol | 2025-11-29 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC. | ||||
| CVE-2024-9440 | 2 Brian Voelker, Slimselectjs | 2 Slim Select, Slim Select | 2025-11-29 | 5.4 Medium |
| Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available. | ||||
| CVE-2024-0758 | 1 Ipb-halle | 1 Molecularfaces | 2025-11-28 | 6.1 Medium |
| MolecularFaces before 0.3.0 is vulnerable to cross site scripting. A remote attacker can execute arbitrary JavaScript in the context of a victim browser via crafted molfiles. | ||||
| CVE-2025-66093 | 2 Hupe13, Wordpress | 2 Extensions For Leaflet Map, Wordpress | 2025-11-28 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hupe13 Extensions for Leaflet Map extensions-leaflet-map allows DOM-Based XSS.This issue affects Extensions for Leaflet Map: from n/a through <= 4.8. | ||||
| CVE-2025-66092 | 1 Wordpress | 1 Wordpress | 2025-11-28 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bqworks Accordion Slider accordion-slider allows Stored XSS.This issue affects Accordion Slider: from n/a through <= 1.9.13. | ||||
| CVE-2024-11831 | 1 Redhat | 34 Acm, Advanced Cluster Security, Ansible Automation Platform and 31 more | 2025-11-28 | 5.4 Medium |
| A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. | ||||
| CVE-2025-34253 | 2 D-link, Dlink | 2 Nuclias Connect, Nuclias Connect | 2025-11-28 | 5.4 Medium |
| D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain a stored cross-site scripting (XSS) vulnerability due to improper sanitization of the 'Network' field when editing the configuration, creating a profile, and adding a network. An authenticated attacker can inject arbitrary JavaScript to be executed in the context of other users viewing the profile entry. NOTE: D-Link states that a fix is under development. | ||||
| CVE-2025-63498 | 1 Alinto | 1 Sogo | 2025-11-28 | 6.1 Medium |
| alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. | ||||
| CVE-2025-34236 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 5.4 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2025-34237 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 5.4 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via StandaloneVpnClientsController.addStandaloneVpnClientAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2025-60917 | 2 Austrian Archaeological Institute, Craws | 2 Openatlas, Openatlas | 2025-11-28 | 4.6 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the color parameter. | ||||
| CVE-2025-60916 | 2 Austrian Archaeological Institute, Craws | 2 Openatlas, Openatlas | 2025-11-28 | 5.4 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the charge parameter. | ||||
| CVE-2025-60914 | 2 Austrian Archaeological Institute, Craws | 2 Openatlas, Openatlas | 2025-11-28 | 4.6 Medium |
| Incorrect access control in Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to access sensitive information via sending a crafted GET request to the /display_logo endpoint. | ||||
| CVE-2024-21910 | 1 Tiny | 1 Tinymce | 2025-11-28 | 6.1 Medium |
| TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser. | ||||
| CVE-2024-21908 | 1 Tiny | 1 Tinymce | 2025-11-28 | 6.1 Medium |
| TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. | ||||
| CVE-2025-34512 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-11-28 | 6.1 Medium |
| Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet. | ||||
| CVE-2024-21911 | 1 Tiny | 1 Tinymce | 2025-11-28 | 6.1 Medium |
| TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. | ||||
| CVE-2025-30006 | 1 Xorcom | 1 Completepbx | 2025-11-28 | 6.1 Medium |
| Xorcom CompletePBX is vulnerable to a reflected cross-site scripting (XSS) in the administrative control panel. This issue affects CompletePBX: all versions up to and prior to 5.2.35 | ||||