Total
41650 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49553 | 3 Adobe, Apple, Microsoft | 3 Connect, Macos, Windows | 2025-10-17 | N/A | 9.3 CRITICAL |
| Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by an attacker to execute malicious scripts in a victim's browser. Exploitation of this issue requires user interaction in that a victim must navigate to a crafted web page. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Scope is changed. | |||||
| CVE-2025-57877 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-57876 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | |||||
| CVE-2025-57875 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-57874 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-57873 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-57871 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-11663 | 1 Campcodes | 1 Online Beauty Parlor Management System | 2025-10-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A weakness has been identified in Campcodes Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/manage-services.php. This manipulation of the argument sername causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-54089 | 1 Absolute | 1 Secure Access | 2025-10-16 | N/A | 3.4 LOW |
| CVE-2025-54089 is a cross-site scripting vulnerability in versions of secure access prior to 14.10. Attackers with administrative access to the console can interfere with another administrator’s access to the console. The attack complexity is low; there are no attack requirements. Privileges required to execute the attack are high and the victim must actively participate in the attack sequence. There is no impact to confidentiality or availability, there is a low impact to integrity. | |||||
| CVE-2025-56807 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-10-16 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in FairSketch RISE Ultimate Project Manager & CRM 3.9.4 allows an administrator to store a JavaScript payload using the file explorer in the admin dashboard when creating new folders. | |||||
| CVE-2025-11146 | 1 Apt-cacher-ng Project | 1 Apt-cacher-ng | 2025-10-16 | N/A | 5.4 MEDIUM |
| Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows an attacker to execute malicious scripts (XSS) in the web management application. The vulnerability is caused by improper handling of GET inputs included in the URL in “/acng-report.html”. | |||||
| CVE-2025-11147 | 1 Apt-cacher-ng Project | 1 Apt-cacher-ng | 2025-10-16 | N/A | 5.4 MEDIUM |
| Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows malicious scripts (XSS) to be executed in “/html/<filename>.html”. | |||||
| CVE-2025-55996 | 1 Rakuten | 1 Viber | 2025-10-16 | N/A | 6.3 MEDIUM |
| Viber Desktop 25.6.0 is vulnerable to HTML Injection via the text parameter of the message compose/forward interface | |||||
| CVE-2025-56795 | 1 Mealie | 1 Mealie | 2025-10-16 | N/A | 9.0 CRITICAL |
| Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS. | |||||
| CVE-2025-60308 | 1 Fabian | 1 Simple Online Hotel Reservation System | 2025-10-16 | N/A | 4.1 MEDIUM |
| code-projects Simple Online Hotel Reservation System 1.0 has a Cross Site Scripting (XSS) vulnerability in the Add Room function of the online hotel reservation system. Malicious JavaScript code is entered in the Description field, which can leak the administrator's cookie information when browsing this room information | |||||
| CVE-2025-45585 | 1 Audi | 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware | 2025-10-16 | N/A | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the wifi_sta_ssid or wifi_ap_ssid parameters. | |||||
| CVE-2025-60374 | 2025-10-16 | N/A | 6.1 MEDIUM | ||
| Stored Cross-Site Scripting (XSS) in Perfex CRM chatbot before 3.3.1 allows attackers to inject arbitrary HTML/JavaScript. The payload is executed in the browsers of users viewing the chat, resulting in client-side code execution, potential session token theft, and other malicious actions. A different vulnerability than CVE-2024-8867. | |||||
| CVE-2025-58115 | 2025-10-16 | N/A | 6.1 MEDIUM | ||
| ChatLuck contains a cross-site scripting vulnerability in Guest User Sign-up. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing the product. | |||||
| CVE-2025-62380 | 2025-10-16 | N/A | N/A | ||
| mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with the generatePlaintext method when user generated content is supplied. The plaintext generation code attempts to strip HTML tags using a regular expression and then decodes HTML entities, but tags that include certain Unicode line separator characters are not matched and removed. These encoded tags are later decoded into valid HTML content, allowing unexpected HTML to remain in output intended to be plaintext. Projects are affected if they call Mailgen.generatePlaintext with untrusted input and then render or otherwise process the returned string in a context where HTML is interpreted. This can lead to execution of attacker supplied script in the victim’s browser. Version 2.0.32 fixes the issue. | |||||
| CVE-2025-54859 | 2025-10-16 | N/A | 4.8 MEDIUM | ||
| Stored cross-site scripting (XSS) vulnerability in desknet's NEO V9.0R2.0 and earlier allow execution of arbitrary JavaScript in a user’s web browser. | |||||