Total
41631 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-66026 | 1 Redaxo | 1 Redaxo | 2025-12-03 | N/A | 6.1 MEDIUM |
| REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1. | |||||
| CVE-2025-51734 | 1 Hcltech | 1 Unica | 2025-12-02 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | |||||
| CVE-2025-52667 | 1 Revive-adserver | 1 Revive Adserver | 2025-12-02 | N/A | 5.4 MEDIUM |
| Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user. | |||||
| CVE-2025-52668 | 1 Revive-adserver | 1 Revive Adserver | 2025-12-02 | N/A | 5.4 MEDIUM |
| Improper input neutralization in the stats-conversions.php script in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes potential information disclosure and session hijacking via a stored XSS attack. | |||||
| CVE-2025-56526 | 1 Cinnamon | 1 Kotaemon | 2025-12-02 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF. | |||||
| CVE-2025-13697 | 2025-12-02 | N/A | 6.4 MEDIUM | ||
| The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘timestamp’ attribute in all versions up to, and including, 2.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13007 | 2025-12-02 | N/A | 6.1 MEDIUM | ||
| The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page. | |||||
| CVE-2025-13731 | 2025-12-02 | N/A | 6.4 MEDIUM | ||
| The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nxt-year' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-66412 | 2025-12-02 | N/A | N/A | ||
| Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17. | |||||
| CVE-2025-13387 | 2025-12-02 | N/A | 7.2 HIGH | ||
| The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13577 | 1 Phpgurukul | 1 Hostel Management System | 2025-12-02 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in PHPGurukul Hostel Management System 2.1. The impacted element is an unknown function of the file /register-complaint.php. Executing manipulation of the argument cdetails can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2025-64047 | 1 Openrapid | 1 Rapidcms | 2025-12-02 | N/A | 6.1 MEDIUM |
| OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php. | |||||
| CVE-2025-63520 | 1 Feehi | 1 Feehicms | 2025-12-02 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate). | |||||
| CVE-2025-63526 | 1 Shridharshukl | 1 Blood Bank Management System | 2025-12-02 | N/A | 8.5 HIGH |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg parameter, which is then executed in the victim's browser when the page is viewed. | |||||
| CVE-2025-63527 | 1 Shridharshukl | 1 Blood Bank Management System | 2025-12-02 | N/A | 8.5 HIGH |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and hprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the hname, hemail, hpassword, hphone, hcity parameters, which are then executed in the victim's browser when the page is viewed. | |||||
| CVE-2025-63528 | 1 Shridharshukl | 1 Blood Bank Management System | 2025-12-02 | N/A | 8.5 HIGH |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the error parameter, which is then executed in the victim's browser when the page is viewed. | |||||
| CVE-2025-63834 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2025-12-01 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the ssid parameter of the wireless settings. Remote attackers can inject malicious payloads that execute when any user visits the router's homepage. | |||||
| CVE-2025-63709 | 1 Chuck24 | 1 Simple To-do List System | 2025-12-01 | N/A | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the "Add Tasks" text input. An authenticated user can submit HTML/JavaScript that is not correctly sanitized or encoded on output. The injected script is stored and later rendered in the browser of any user who views the task, allowing execution of arbitrary script in the context of the victim's browser. | |||||
| CVE-2025-27208 | 1 Revive-adserver | 1 Revive Adserver | 2025-12-01 | N/A | 6.1 MEDIUM |
| A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Revive Adserver version 5.5.2. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code in the context of the victim's browser. The session cookie cannot be accessed, but a number of other operations could be performed. The vulnerability is present in the admin-search.php file and can be exploited via the compact parameter. | |||||
| CVE-2025-8155 | 1 Dlink | 2 Dcs-6010l, Dcs-6010l Firmware | 2025-12-01 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in D-Link DCS-6010L 1.15.03 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /vb.htm of the component Management Application. The manipulation of the argument paratest leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||