Total
40547 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63064 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Stored XSS.This issue affects EventON: from n/a through <= 4.9.12. | ||||
| CVE-2025-63073 | 2 Dream-theme, Wordpress | 2 The7, Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS.This issue affects The7: from n/a through <= 12.8.0.2. | ||||
| CVE-2025-63075 | 2 Muffingroup, Wordpress | 2 Betheme, Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in muffingroup Betheme betheme allows DOM-Based XSS.This issue affects Betheme: from n/a through <= 28.1.7. | ||||
| CVE-2025-14205 | 2 Code-projects, Fabian | 2 Chamber Of Commerce Membership Management System, Chamber Of Commerce Membership Management System | 2025-12-10 | 2.4 Low |
| A vulnerability was found in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is an unknown function of the file /membership_profile.php of the component Your Info Handler. Performing manipulation of the argument Full Name/Address/City/State results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-6946 | 1 Watchguard | 29 Firebox M270, Firebox M290, Firebox M370 and 26 more | 2025-12-10 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the IPS module. This vulnerability requires an authenticated administrator session to a locally managed Firebox. This issue affects Firebox: from 12.0 through 12.11.2. | ||||
| CVE-2025-13939 | 1 Watchguard | 35 Firebox M270, Firebox M290, Firebox M370 and 32 more | 2025-12-10 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Gateway Wireless Controller module) allows Stored XSS.This issue affects Fireware OS 11.7.2 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | ||||
| CVE-2025-13938 | 1 Watchguard | 35 Firebox M270, Firebox M290, Firebox M370 and 32 more | 2025-12-10 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | ||||
| CVE-2025-13937 | 1 Watchguard | 35 Firebox M270, Firebox M290, Firebox M370 and 32 more | 2025-12-10 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | ||||
| CVE-2025-13936 | 1 Watchguard | 35 Firebox M270, Firebox M290, Firebox M370 and 32 more | 2025-12-10 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Tigerpaw Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | ||||
| CVE-2025-49959 | 2 Bbpress, Wordpress | 2 Bbpress, Wordpress | 2025-12-10 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pascal Casier bbPress Move Topics bbp-move-topics allows Reflected XSS.This issue affects bbPress Move Topics: from n/a through <= 1.1.6. | ||||
| CVE-2025-49960 | 2 Leadbi, Wordpress | 2 Leadbi Plugin, Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leadbi LeadBI Plugin for WordPress leadbi allows Stored XSS.This issue affects LeadBI Plugin for WordPress: from n/a through <= 1.7. | ||||
| CVE-2025-49962 | 2 Usestrict, Wordpress | 2 Bbpress Notify, Wordpress | 2025-12-10 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict bbPress Notify bbpress-notify-nospam allows Reflected XSS.This issue affects bbPress Notify: from n/a through <= 2.19.4. | ||||
| CVE-2025-49963 | 2 Growniche, Wordpress | 2 Simple Stripe Checkout, Wordpress | 2025-12-10 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in growniche Simple Stripe Checkout simple-stripe-checkout allows Reflected XSS.This issue affects Simple Stripe Checkout: from n/a through <= 1.1.28. | ||||
| CVE-2025-65959 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2025-12-10 | 8.7 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to execute arbitrary JavaScript code and steal session tokens when a victim downloads the note as PDF. This vulnerability can be exploited by any authenticated user, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files. This vulnerability is fixed in 0.6.37. | ||||
| CVE-2024-38156 | 1 Microsoft | 2 Edge, Edge Chromium | 2025-12-09 | 6.1 Medium |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | ||||
| CVE-2024-35267 | 1 Microsoft | 1 Azure Devops Server | 2025-12-09 | 7.6 High |
| Azure DevOps Server Spoofing Vulnerability | ||||
| CVE-2024-35266 | 1 Microsoft | 1 Azure Devops Server | 2025-12-09 | 7.6 High |
| Azure DevOps Server Spoofing Vulnerability | ||||
| CVE-2025-34397 | 1 Mailenable | 1 Mailenable | 2025-12-09 | 6.1 Medium |
| MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Message parameter of /Mobile/Compose.aspx. The Message value is not properly sanitized when processed via a GET request and is reflected into a JavaScript context in the response. By supplying a crafted payload that terminates the existing script block/function, injects attacker-controlled JavaScript, and comments out the remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim opens the crafted reply URL. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | ||||
| CVE-2025-34398 | 1 Mailenable | 1 Mailenable | 2025-12-09 | 6.1 Medium |
| MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesBcc value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the JavaScript variable var sAddrBcc. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, and perform actions as the authenticated user. | ||||
| CVE-2025-34401 | 1 Mailenable | 1 Mailenable | 2025-12-09 | 6.1 Medium |
| MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldBcc value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var BCCFieldProvided. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser during normal email composition. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | ||||