Total
40648 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-35029 | 1 Medical Informatics Engineering | 1 Enterprise Health | 2025-12-02 | 3.5 Low |
| Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content will be rendered and executed when a victim accesses it. This issue is fixed as of 2025-03-14. | ||||
| CVE-2025-66403 | 1 Filerise | 1 Filerise | 2025-12-02 | 4.6 Medium |
| FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 2.2.3, a stored cross-site scripting (XSS) vulnerability exists in the Filerise application due to improper handling of uploaded SVG files. The application accepts user-supplied SVG uploads without sanitizing or restricting embedded script content. When a malicious SVG containing inline JavaScript or event-based payloads is uploaded, it is later rendered directly in the browser whenever viewed within the application. Because SVGs are XML-based and allow scripting, they execute in the origin context of the application, enabling full stored XSS. This vulnerability is fixed in 2.2.3. | ||||
| CVE-2025-64030 | 1 Chinasystems | 1 Eximbills Enterprise | 2025-12-02 | 5.4 Medium |
| Eximbills Enterprise 4.1.5 (Built on 2020-10-30) is vulnerable to authenticated stored cross-site scripting (CWE-79) via the /EximBillWeb/servlets/WSTrxManager endpoint. Unsanitized user input in the TMPL_INFO parameter is stored server-side and rendered to other users, enabling arbitrary JavaScript execution in their browsers. | ||||
| CVE-2025-63526 | 2 Blood Bank Management System Project, Shridharshukl | 2 Blood Bank Management System, Blood Bank Management System | 2025-12-02 | 8.5 High |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg parameter, which is then executed in the victim's browser when the page is viewed. | ||||
| CVE-2025-63528 | 2 Blood Bank Management System Project, Shridharshukl | 2 Blood Bank Management System, Blood Bank Management System | 2025-12-02 | 8.5 High |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the error parameter, which is then executed in the victim's browser when the page is viewed. | ||||
| CVE-2025-63527 | 2 Blood Bank Management System Project, Shridharshukl | 2 Blood Bank Management System, Blood Bank Management System | 2025-12-02 | 8.5 High |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and hprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the hname, hemail, hpassword, hphone, hcity parameters, which are then executed in the victim's browser when the page is viewed. | ||||
| CVE-2025-63520 | 1 Feehi | 2 Feehi Cms, Feehicms | 2025-12-02 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate). | ||||
| CVE-2021-26829 | 3 Linux, Microsoft, Scadabr | 3 Linux Kernel, Windows, Scadabr | 2025-12-02 | 5.4 Medium |
| OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. | ||||
| CVE-2025-13577 | 1 Phpgurukul | 1 Hostel Management System | 2025-12-02 | 3.5 Low |
| A flaw has been found in PHPGurukul Hostel Management System 2.1. The impacted element is an unknown function of the file /register-complaint.php. Executing manipulation of the argument cdetails can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2025-64047 | 1 Openrapid | 1 Rapidcms | 2025-12-02 | 6.1 Medium |
| OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php. | ||||
| CVE-2025-52662 | 2 Nuxt, Vercel | 2 Nuxt, Vercel | 2025-12-01 | 6.9 Medium |
| A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools | ||||
| CVE-2025-59025 | 1 Open-xchange | 1 Ox App Suite | 2025-12-01 | 6.1 Medium |
| Malicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known | ||||
| CVE-2025-59026 | 1 Open-xchange | 1 Ox App Suite | 2025-12-01 | 5.4 Medium |
| Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | ||||
| CVE-2025-63834 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2025-12-01 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the ssid parameter of the wireless settings. Remote attackers can inject malicious payloads that execute when any user visits the router's homepage. | ||||
| CVE-2025-63709 | 2 Chuck24, Sourcecodester | 2 Simple To-do List System, Simple Todo List System | 2025-12-01 | 5.4 Medium |
| A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the "Add Tasks" text input. An authenticated user can submit HTML/JavaScript that is not correctly sanitized or encoded on output. The injected script is stored and later rendered in the browser of any user who views the task, allowing execution of arbitrary script in the context of the victim's browser. | ||||
| CVE-2025-55126 | 1 Revive | 1 Adserver | 2025-12-01 | N/A |
| HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving the navigation box at the top of advertiser-related pages, with campaign names being the vector for the stored XSS | ||||
| CVE-2025-27208 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-12-01 | 6.1 Medium |
| A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Revive Adserver version 5.5.2. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code in the context of the victim's browser. The session cookie cannot be accessed, but a number of other operations could be performed. The vulnerability is present in the admin-search.php file and can be exploited via the compact parameter. | ||||
| CVE-2025-8155 | 2 D-link, Dlink | 3 Dcs-6010l, Dcs-6010l, Dcs-6010l Firmware | 2025-12-01 | 3.5 Low |
| A vulnerability has been found in D-Link DCS-6010L 1.15.03 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /vb.htm of the component Management Application. The manipulation of the argument paratest leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-10244 | 1 Autodesk | 1 Fusion | 2025-12-01 | 8.7 High |
| A maliciously crafted HTML payload, when rendered by the Autodesk Fusion desktop application, can trigger a Stored Cross-site Scripting (XSS) vulnerability. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | ||||
| CVE-2025-36088 | 1 Ibm | 5 Diamondback Tape Library, Diamondback Tape Library Firmware, Storage Ts4500 Library and 2 more | 2025-12-01 | 5.4 Medium |
| IBM TS4500 1.11.0.0-D00, 1.11.0.1-C00, 1.11.0.2-C00, and 1.10.00-F00 web GUI is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||