Total
41631 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10244 | 1 Autodesk | 1 Fusion | 2025-12-01 | N/A | 8.7 HIGH |
| A maliciously crafted HTML payload, when rendered by the Autodesk Fusion desktop application, can trigger a Stored Cross-site Scripting (XSS) vulnerability. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | |||||
| CVE-2025-36088 | 1 Ibm | 4 Diamondback Tape Library, Diamondback Tape Library Firmware, Storage Ts4500 Library and 1 more | 2025-12-01 | N/A | 5.4 MEDIUM |
| IBM TS4500 1.11.0.0-D00, 1.11.0.1-C00, 1.11.0.2-C00, and 1.10.00-F00 web GUI is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2025-28977 | 1 Thimpress | 1 Wp Pipes | 2025-12-01 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Pipes allows Reflected XSS. This issue affects WP Pipes: from n/a through 1.4.3. | |||||
| CVE-2024-51723 | 1 Blackberry | 1 Athoc | 2025-12-01 | N/A | 4.6 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability in the Management Console of BlackBerry AtHoc version 7.15 could allow an attacker to potentially execute actions in the context of the victim's session. | |||||
| CVE-2025-45778 | 1 Languagesloth | 1 The Language Sloth | 2025-12-01 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in The Language Sloth Web Application v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Description text field. | |||||
| CVE-2025-64048 | 1 Yccms | 1 Yccms | 2025-12-01 | N/A | 6.1 MEDIUM |
| YCCMS 3.4 contains a stored cross-site scripting (XSS) vulnerability in the article management functionality. The vulnerability exists in the add() and getPost() functions within the ArticleAction.class.php file due to improper neutralization of user input in the article title field. | |||||
| CVE-2025-64130 | 2025-12-01 | N/A | 9.8 CRITICAL | ||
| Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser. | |||||
| CVE-2025-9163 | 2025-12-01 | N/A | 6.1 MEDIUM | ||
| The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2025-30186 | 2025-12-01 | N/A | 5.4 MEDIUM | ||
| Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | |||||
| CVE-2025-12670 | 2025-12-01 | N/A | 6.4 MEDIUM | ||
| The wp-twitpic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'twitpic' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-59025 | 2025-12-01 | N/A | 6.1 MEDIUM | ||
| Malicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known | |||||
| CVE-2025-12712 | 2025-12-01 | N/A | 6.4 MEDIUM | ||
| The Shouty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shouty shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-41070 | 2025-12-01 | N/A | N/A | ||
| Reflected Cross-site Scripting (XSS) vulnerability in Sanoma's Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL in '/students/carpetes_varies.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | |||||
| CVE-2025-13525 | 2025-12-01 | N/A | 6.1 MEDIUM | ||
| The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-66036 | 2025-12-01 | N/A | 6.1 MEDIUM | ||
| Retro is an online platform providing items of vintage collections. Prior to version 2.4.7, Retro is vulnerable to a cross-site scripting (XSS) in the input handling component. This issue has been patched in version 2.4.7. | |||||
| CVE-2025-12666 | 2025-12-01 | N/A | 6.4 MEDIUM | ||
| The Google Drive upload and download link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter of the 'atachfilegoogle' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-66040 | 2025-12-01 | N/A | 3.6 LOW | ||
| Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2. | |||||
| CVE-2025-12151 | 2025-12-01 | N/A | 6.4 MEDIUM | ||
| The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'portfolio_name' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-12123 | 2025-12-01 | N/A | 6.1 MEDIUM | ||
| The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-66421 | 2025-12-01 | N/A | 5.4 MEDIUM | ||
| Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69. | |||||