Total
40382 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55123 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-12-05 | 5.4 Medium |
| Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS attacks to their own advertiser users. | ||||
| CVE-2017-1000236 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 6.1 Medium |
| I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cross-Site Scripting in the temp.php resulting in an attacker being able to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. | ||||
| CVE-2023-3021 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository mkucej/i-librarian-free prior to 5.10.4. | ||||
| CVE-2024-40500 | 2 I-librarian, Scilico | 2 I-librarian, I\, Librarian | 2025-12-05 | 8.8 High |
| Cross Site Scripting vulnerability in Martin Kucej i-librarian v.5.11.0 and before allows a local attacker to execute arbitrary code via the search function in the import component. | ||||
| CVE-2025-65516 | 1 Seafile | 1 Seafile | 2025-12-05 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability was discovered in Seafile Community Edition prior to version 13.0.12. When Seafile is configured with the Golang file server, an attacker can upload a crafted SVG file containing malicious JavaScript and share it using a public link. Opening the link triggers script execution in the victim's browser. This issue has been fixed in Seafile Community Edition 13.0.12. | ||||
| CVE-2018-1000139 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 6.1 Medium |
| I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user. | ||||
| CVE-2012-3842 | 1 Directadmin | 1 Directadmin | 2025-12-05 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CMD_DOMAIN in JBMC Software DirectAdmin 1.403 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) select0 or (2) select8 parameters. | ||||
| CVE-2024-8964 | 1 Sirv | 1 Sirv | 2025-12-05 | 6.4 Medium |
| The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2025-14006 | 1 Xunruicms | 1 Xunruicms | 2025-12-05 | 3.5 Low |
| A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument data[name] leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-65215 | 2 Senior-walter, Sourcecodester | 2 Web-based Pharmacy Product Management System, Web-based Pharmacy Product Management System | 2025-12-05 | 6.1 Medium |
| Sourcecodester Web-based Pharmacy Product Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /product_expiry/add-supplier.php via the Supplier Name field. | ||||
| CVE-2025-65881 | 2 Oretnom23, Sourcecodester | 2 Zoo Management System, Zoo Management System | 2025-12-05 | 6.1 Medium |
| Sourcecodester Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /classes/Login.php. | ||||
| CVE-2025-65267 | 1 Frappe | 2 Erpnext, Frappe | 2025-12-05 | 9 Critical |
| In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance. | ||||
| CVE-2025-63499 | 1 Alinto | 1 Sogo | 2025-12-05 | 6.1 Medium |
| Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter. | ||||
| CVE-2025-20385 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2025-12-05 | 2.4 Low |
| In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user. | ||||
| CVE-2024-25599 | 2 Castos, Wordpress | 2 Seriously Simple Podcasting, Wordpress | 2025-12-05 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Castos Seriously Simple Podcasting allows Reflected XSS.This issue affects Seriously Simple Podcasting: from n/a through 3.0.2. | ||||
| CVE-2025-14007 | 1 Xunruicms | 1 Xunruicms | 2025-12-05 | 2 Low |
| A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from remote. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12804 | 2 Wordpress, Wpdevelop | 2 Wordpress, Booking Calendar | 2025-12-05 | 6.4 Medium |
| The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-49272 | 1 Jayesh | 1 Hotel Management System | 2025-12-05 | 5.4 Medium |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'children' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | ||||
| CVE-2025-12417 | 2 Wordpress, Wpeka-club | 2 Wordpress, Surveyfunnel | 2025-12-05 | 6.4 Medium |
| The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'surveyfunnel_lite_survey' shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12124 | 2 Kenvindees, Wordpress | 2 Fitvids For Wordpress, Wordpress | 2025-12-05 | 4.4 Medium |
| The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||