Total
40647 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1648 | 1 Fraserxu | 1 Electron-pdf | 2025-12-03 | 7.5 High |
| electron-pdf version 20.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user. | ||||
| CVE-2024-1647 | 3 Kumaf, Pyhtml2pdf, Pyhtml2pdf Project | 3 Pyhtml2pdf, Pyhtml2pdf, Pyhtml2pdf | 2025-12-03 | 7.5 High |
| Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user. | ||||
| CVE-2024-27287 | 1 Esphome | 1 Esphome | 2025-12-03 | 6.5 Medium |
| ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards. In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue. | ||||
| CVE-2025-7969 | 2 Markdown-it, Markdown-it Project | 2 Markdown-it, Markdown-it | 2025-12-03 | 6.3 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/renderer.mjs. This issue affects markdown-it: 14.1.0. NOTE: the Supplier does not consider this issue to be a vulnerability. | ||||
| CVE-2025-65676 | 1 Classroomio | 1 Classroomio | 2025-12-03 | 5.4 Medium |
| Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. | ||||
| CVE-2025-4779 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2025-12-03 | 6.1 Medium |
| lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions. | ||||
| CVE-2025-65956 | 1 Formwork Project | 1 Formwork | 2025-12-03 | 6.5 Medium |
| Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0. | ||||
| CVE-2025-64070 | 2 Remyandrade, Sourcecodester | 2 Student Grades Management System, Student Grades Management System | 2025-12-03 | 5.4 Medium |
| Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field. | ||||
| CVE-2023-0835 | 1 Markdown-pdf Project | 1 Markdown-pdf | 2025-12-03 | 8.2 High |
| markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user. | ||||
| CVE-2025-10931 | 2 Drupal, Umami | 3 Drupal, Umami Analytics, Umami Analytics | 2025-12-03 | 3.8 Low |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1. | ||||
| CVE-2022-43984 | 1 Spatie | 1 Browsershot | 2025-12-03 | 8.2 High |
| Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol. | ||||
| CVE-2025-12083 | 2 Drupal, Salsa.digital | 3 Civictheme Design System, Drupal, Civictheme Design System | 2025-12-03 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0. | ||||
| CVE-2022-41706 | 1 Spatie | 1 Browsershot | 2025-12-03 | 8.2 High |
| Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method. | ||||
| CVE-2025-39663 | 1 Checkmk | 1 Checkmk | 2025-12-03 | 8.4 High |
| Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol). | ||||
| CVE-2022-43983 | 1 Spatie | 1 Browsershot | 2025-12-03 | 8.2 High |
| Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol. | ||||
| CVE-2025-66359 | 1 Logpoint | 1 Siem | 2025-12-03 | 8.5 High |
| An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability. | ||||
| CVE-2025-65622 | 1 Snipeitapp | 1 Snipe-it | 2025-12-03 | 5.4 Medium |
| Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | ||||
| CVE-2025-65961 | 1 Contao | 1 Contao | 2025-12-03 | 3.3 Low |
| Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually. | ||||
| CVE-2025-64049 | 1 Redaxo | 2 Redaxo, Redaxo Cms | 2025-12-03 | 4.8 Medium |
| A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module. | ||||
| CVE-2025-66258 | 1 Dbbroadcast | 45 Mozart Dds Next 100, Mozart Dds Next 1000, Mozart Dds Next 1000 Firmware and 42 more | 2025-12-03 | 5.4 Medium |
| Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file. | ||||