Total
40545 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11332 | 1 Cmseasy | 1 Cmseasy | 2025-12-12 | 3.5 Low |
| A vulnerability was determined in CmsEasy up to 7.7.7. This affects an unknown function in the library lib/inc/view.php of the component URL Handler. Executing manipulation of the argument PHP_SELF can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-65289 | 2 Mercury, Mercurycom | 3 Mr816v2, Mr816, Mr816 Firmware | 2025-12-12 | 6.1 Medium |
| A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hostname. The injected script is stored and later executed in the context of an administrator's browser (for example after DHCP release/renew triggers the interface to display the stored hostname). Because the management interface uses weak/basic authentication and does not properly protect or isolate session material, the XSS can be used to exfiltrate the admin session and perform administrative actions. | ||||
| CVE-2025-63848 | 1 Swi-prolog | 2 Swi-prolog, Swish | 2025-12-12 | 6.1 Medium |
| Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook. | ||||
| CVE-2025-54676 | 2 Vcita, Wordpress | 3 Online Booking & Scheduling Calendar For Wordpress By Vcita, Online Booking \& Scheduling Calendar, Wordpress | 2025-12-12 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Stored XSS. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.3. | ||||
| CVE-2025-14201 | 1 Alokjaiswal | 1 Hotel-management-services-using-mysql-and-php | 2025-12-12 | 2.4 Low |
| A vulnerability was found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected by this vulnerability is an unknown functionality of the file /dishsub.php. The manipulation of the argument item.name results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-63035 | 2 Vibethemes, Wordpress | 2 Wordpress Learning Management System , Wordpress | 2025-12-12 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS.This issue affects WPLMS: from n/a through <= 1.9.9.5.4. | ||||
| CVE-2025-63737 | 2 Rockoa, Xinhu | 2 Rockoa, Rockoa | 2025-12-12 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in function urltestAction in file cliAction.php in Xinhu Rainrock RockOA 2.7.0 allows remote attackers to inject arbitrary web script or HTML via the m parameter to the task.php endpoint. | ||||
| CVE-2025-61078 | 1 Phpipam | 1 Phpipam | 2025-12-12 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in Request IP form in phpIPAM v1.7.3 allows remote attackers to inject arbitrary web script or HTML via the instructions parameter for the /app/admin/instructions/edit-result.php endpoint. | ||||
| CVE-2025-36135 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2025-12-11 | 5.4 Medium |
| IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-61261 | 2 Angular, Ckeditor | 2 Angular, Ckeditor5 | 2025-12-11 | 5.4 Medium |
| A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2025-36239 | 1 Ibm | 5 Diamondback Tape Library, Diamondback Tape Library Firmware, Storage Ts4500 Library and 2 more | 2025-12-11 | 6.1 Medium |
| IBM Storage TS4500 Library 1.11.0.0 and 2.11.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-43811 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-11 | 5.4 Medium |
| Multiple stored cross-site scripting (XSS) vulnerability in the related asset selector in Liferay Portal 7.4.3.50 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.7, and 7.4 update 50 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into an asset author’s (1) First Name, (2) Middle Name, or (3) Last Name text field. | ||||
| CVE-2025-43815 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-11 | 6.1 Medium |
| Reflected cross-site scripting (XSS) vulnerability on the page configuration page in Liferay Portal 7.4.3.102 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, and 2023.Q3.5 allows remote attackers to inject arbitrary web script or HTML via the com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURLTitle parameter. | ||||
| CVE-2025-43818 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-11 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Calendar's “Name” text field | ||||
| CVE-2025-43820 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-11 | 5.4 Medium |
| Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle text, or (3) Last Name text fields. | ||||
| CVE-2025-43812 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-11 | 5.4 Medium |
| Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a web content structure's Name text field | ||||
| CVE-2025-43817 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-11 | 6.1 Medium |
| Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to (1) Announcements, or (2) Alerts. | ||||
| CVE-2025-66561 | 1 Syslifters | 1 Sysreptor | 2025-12-11 | 7.3 High |
| SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This vulnerability is fixed in 2025.102. | ||||
| CVE-2025-8897 | 1 Fastlinemedia | 1 Beaver Builder | 2025-12-11 | 6.1 Medium |
| The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘'fl_builder' parameter in all versions up to, and including, 2.9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-55321 | 1 Microsoft | 1 Azure Monitor | 2025-12-11 | 9.3 Critical |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Monitor allows an unauthorized attacker to perform spoofing over a network. | ||||