Total
41631 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58465 | 1 Qnap | 3 Download Station, Qts, Quts Hero | 2025-11-17 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later | |||||
| CVE-2025-41101 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in'/projects/save'. | |||||
| CVE-2025-41102 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/events/save'. | |||||
| CVE-2025-41103 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'reply_message' in '/messages/reply'. | |||||
| CVE-2025-41104 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'custom_field_1' in '/estimate_requests/save_estimate_request'. | |||||
| CVE-2025-41105 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/tickets/save'. | |||||
| CVE-2025-41106 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'first_name' in '/clients/save_contact/'. | |||||
| CVE-2025-11189 | 1 Synchroweb | 1 Kiwire | 2025-11-17 | N/A | 7.3 HIGH |
| The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for Javascript execution. | |||||
| CVE-2025-60378 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 8.1 HIGH |
| Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients. | |||||
| CVE-2025-13097 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-17 | N/A | 5.4 MEDIUM |
| Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-9647 | 1 Mtons | 1 Mblog | 2025-11-14 | 5.0 MEDIUM | 4.3 MEDIUM |
| A weakness has been identified in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/role/list. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-54168 | 1 Qnap | 1 Qulog Center | 2025-11-14 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.923 ( 2025/08/27 ) and later | |||||
| CVE-2025-57706 | 1 Qnap | 1 File Station | 2025-11-14 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later | |||||
| CVE-2020-0656 | 1 Microsoft | 1 Dynamics 365 | 2025-11-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. | |||||
| CVE-2025-24297 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 9.8 CRITICAL |
| Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal. | |||||
| CVE-2025-41107 | 1 Qdocs | 1 Smart School | 2025-11-14 | N/A | 5.4 MEDIUM |
| Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details. | |||||
| CVE-2025-63645 | 2025-11-14 | N/A | 5.4 MEDIUM | ||
| A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the application's message system. Unsanitized message content submitted by one user is persisted by the server and later rendered in another user's Inbox view without appropriate context-aware encoding. As a result, attacker-controlled content executes in the recipient's browser context when the Inbox message is viewed. | |||||
| CVE-2025-12904 | 2025-11-14 | N/A | 7.2 HIGH | ||
| The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-11769 | 2025-11-14 | N/A | 6.4 MEDIUM | ||
| The WordPress Content Flipper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bgcolor' shortcode attribute of the 'flipper_front' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-10295 | 2025-11-14 | N/A | 6.4 MEDIUM | ||
| The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the user has access to the edit profile form with the media upload option. | |||||