Total
41631 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7430 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-21 | N/A | 7.3 HIGH |
| Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report. | |||||
| CVE-2025-7632 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-21 | N/A | 7.3 HIGH |
| Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report. | |||||
| CVE-2025-34032 | 1 Geoffrowland | 1 Jmol | 2025-11-20 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC. | |||||
| CVE-2025-63514 | 1 Kishan0725 | 1 Hospital Management System | 2025-11-20 | N/A | 6.1 MEDIUM |
| kishan0725 Hospital Management System has a Cross-Site Scripting (XSS) vulnerability in appsearch.php via the email parameter. | |||||
| CVE-2025-63892 | 1 Remyandrade | 1 Student Grades Management System | 2025-11-20 | N/A | 6.8 MEDIUM |
| A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function create_classroom of the file /classroom.php of the component My Classrooms Management Page. This manipulation of the argument name/description causes stored cross site scripting. | |||||
| CVE-2021-4231 | 2 Angular, Angularjs | 2 Angular, Angularjs | 2025-11-20 | 3.5 LOW | 3.5 LOW |
| A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component. | |||||
| CVE-2025-63708 | 1 Remyandrade | 1 Ai Font Matcher | 2025-11-20 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability exists in SourceCodester AI Font Matcher (nid=18425, 2025-10-10) that allows remote attackers to execute arbitrary JavaScript in victims' browsers. The vulnerability occurs in the webfonts API handling mechanism where font family names are not properly sanitized. An attacker can intercept fetch requests to the webfonts endpoint and inject malicious JavaScript payloads through font family names, resulting in session cookie theft, account hijacking, and unauthorized actions performed on behalf of authenticated users. The vulnerability can be exploited by injecting a fetch hook that returns controlled font data containing malicious scripts. | |||||
| CVE-2019-14863 | 2 Angularjs, Redhat | 3 Angularjs, Decision Manager, Process Automation | 2025-11-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. | |||||
| CVE-2020-7676 | 1 Angularjs | 1 Angularjs | 2025-11-20 | 3.5 LOW | 5.4 MEDIUM |
| angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code. | |||||
| CVE-2022-25869 | 1 Angularjs | 1 Angularjs | 2025-11-20 | N/A | 4.2 MEDIUM |
| All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements. | |||||
| CVE-2025-65013 | 1 Librenms | 1 Librenms | 2025-11-20 | N/A | 6.2 MEDIUM |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a reflected cross-site scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. This issue has been patched in version 25.11.0. | |||||
| CVE-2025-13343 | 1 Janobe | 1 Interview Management System | 2025-11-20 | 4.0 MEDIUM | 3.5 LOW |
| A security flaw has been discovered in SourceCodester Interview Management System 1.0. Affected is an unknown function of the file /editQuestion.php. The manipulation of the argument Question results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-13349 | 1 Remyandrade | 1 Student Grades Management System | 2025-11-20 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in SourceCodester Student Grades Management System 1.0. This issue affects some unknown processing of the file /grades.php of the component Add New Grade Page. The manipulation of the argument Remarks leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-20304 | 1 Cisco | 1 Identity Services Engine | 2025-11-19 | N/A | 5.4 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have at least a low-privileged account on the affected device. | |||||
| CVE-2024-42749 | 1 Altocms | 1 Alto Cms | 2025-11-19 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Alto CMS v.1.1.13 allows a local attacker to execute arbitrary code via a crafted script. | |||||
| CVE-2025-64302 | 1 Advantech | 1 Deviceon\/iedge | 2025-11-19 | N/A | 6.4 MEDIUM |
| Insufficient input sanitization in the dashboard label or path can allow an attacker to trigger a device error causing information disclosure or data manipulation. | |||||
| CVE-2025-3087 | 1 M-files | 1 M-files Web | 2025-11-19 | N/A | 5.4 MEDIUM |
| Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts | |||||
| CVE-2025-11963 | 2025-11-19 | N/A | 5.4 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities allows Reflected XSS.This issue affects StarCities: before 1.1.61. | |||||
| CVE-2025-12484 | 2025-11-19 | N/A | 7.2 HIGH | ||
| The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-12710 | 2025-11-19 | N/A | 6.4 MEDIUM | ||
| The Pet-Manager – Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||