Total
40173 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34512 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-11-28 | 6.1 Medium |
| Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet. | ||||
| CVE-2024-21911 | 1 Tiny | 1 Tinymce | 2025-11-28 | 6.1 Medium |
| TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. | ||||
| CVE-2025-30006 | 1 Xorcom | 1 Completepbx | 2025-11-28 | 6.1 Medium |
| Xorcom CompletePBX is vulnerable to a reflected cross-site scripting (XSS) in the administrative control panel. This issue affects CompletePBX: all versions up to and prior to 5.2.35 | ||||
| CVE-2025-63735 | 1 Ruckus | 1 Unleashed | 2025-11-27 | 6.1 Medium |
| A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp. | ||||
| CVE-2025-60739 | 1 Ilevia | 1 Eve X1 Server Firmware | 2025-11-27 | 9.6 Critical |
| Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | ||||
| CVE-2025-0248 | 1 Hcltech | 1 Hcl Inotes | 2025-11-27 | 8.1 High |
| HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input. A remote, unauthenticated attacker can specially craft a URL to execute script in a victim's Web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials. | ||||
| CVE-2025-10554 | 1 Dassault | 1 Enovia Product Manager | 2025-11-27 | 8.7 High |
| A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in ENOVIA Product Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | ||||
| CVE-2025-13589 | 1 Otsuka | 1 Fms | 2025-11-27 | N/A |
| FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | ||||
| CVE-2025-13068 | 2 Milmor, Wordpress | 2 Telegram Bot & Channel, Wordpress | 2025-11-27 | 7.2 High |
| The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-58990 | 2 Hasthemes, Wordpress | 2 Shoplentor, Wordpress | 2025-11-26 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasTech ShopLentor allows Stored XSS. This issue affects ShopLentor: from n/a through 3.2.0. | ||||
| CVE-2025-5352 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2025-11-26 | 9.6 Critical |
| A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25. | ||||
| CVE-2025-55124 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-11-26 | N/A |
| Improper neutralisation of input in Revive Adserver 6.0.0+ causes a reflected XSS attack in the banner-zone.php script. | ||||
| CVE-2024-49790 | 1 Ibm | 2 Watson Assistant For Ibm Cloud Pak For Data, Watson Studio On Cloud Pak For Data | 2025-11-26 | 5.4 Medium |
| IBM Watson Studio on Cloud Pak for Data 4.0 and 5.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-65012 | 1 Getkirby | 1 Kirby | 2025-11-26 | 5.4 Medium |
| Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for display in the "Changes" dialog. If another authenticated user subsequently opened the dialog in their Panel, the malicious code would be executed. This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update page titles or usernames. The attack requires user interaction by another Panel user and cannot be automated. This issue has been patched in version 5.1.4. | ||||
| CVE-2025-13206 | 3 Givewp, Stellarwp, Wordpress | 3 Givewp, Givewp, Wordpress | 2025-11-26 | 7.2 High |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability. | ||||
| CVE-2025-64027 | 1 Snipeitapp | 1 Snipe-it | 2025-11-26 | 6.1 Medium |
| Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. NOTE: this is disputed by the Supplier because the report only demonstrates that an authenticated user can choose to conduct a man-in-the-middle attack against himself. | ||||
| CVE-2025-64339 | 2 Clip-bucket, Oxygenz | 2 Clipbucket, Clipbucket | 2025-11-26 | 5.4 Medium |
| ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Playlists feature is vulnerable to stored Cross-site Scripting (XSS),specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containing HTML/JavaScript code, which is rendered unescaped on playlist detail and listing pages. This results in arbitrary JavaScript execution in every viewer’s browser, including administrators. This issue is fixed in version 5.5.2-#147. | ||||
| CVE-2025-64442 | 1 Humhub | 1 Humhub | 2025-11-26 | 6.1 Medium |
| HumHub is an Open Source Enterprise Social Network. Versions below 1.17.4 have a XSS vulnerability in the Meta-Search feature which allows malicious input to be executed in search previews. This issue is fixed in version 1.17.4. | ||||
| CVE-2025-64495 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2025-11-26 | 8.7 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is assigned to the DOM sink .innerHtml without sanitisation. Any user with permissions to create prompts can abuse this to plant a payload that could be triggered by other users if they run the corresponding / command to insert the prompt. This issue is fixed in version 0.6.35. | ||||
| CVE-2025-12920 | 2 Foxcms, Qianfox | 2 Foxcms, Foxcms | 2025-11-26 | 2.4 Low |
| A flaw has been found in qianfox FoxCMS up to 1.2.16. Affected by this vulnerability is the function add/edit of the file app/admin/controller/Product.php. This manipulation of the argument Title causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||