Total
41665 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-60144 | 2025-09-26 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yonifre Lenix scss compiler allows Stored XSS. This issue affects Lenix scss compiler: from n/a through 1.2. | |||||
| CVE-2025-4957 | 2025-09-26 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss ProfileGrid allows Reflected XSS. This issue affects ProfileGrid : from n/a through 5.9.5.7. | |||||
| CVE-2025-9490 | 2025-09-26 | N/A | 6.4 MEDIUM | ||
| The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.20.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-60186 | 2025-09-26 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Moss Google+ Comments allows Stored XSS. This issue affects Google+ Comments: from n/a through 1.0. | |||||
| CVE-2025-60133 | 2025-09-26 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DJ-Extensions.com PE Easy Slider allows Stored XSS. This issue affects PE Easy Slider: from n/a through 1.1.0. | |||||
| CVE-2025-60105 | 2025-09-26 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty allows Stored XSS. This issue affects Ditty: from n/a through 3.1.58. | |||||
| CVE-2025-60112 | 2025-09-26 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor allows Stored XSS. This issue affects aThemes Addons for Elementor: from n/a through 1.1.3. | |||||
| CVE-2025-26210 | 1 Deepseek | 3 Deepseek-r1, Deepseek-v2, Deepseek-v3 | 2025-09-26 | N/A | 8.8 HIGH |
| DeepSeek R1 through V3.1 allows XSS, as demonstrated by JavaScript execution in the context of the run-html-chat.deepseeksvc.com domain. NOTE: some third parties have indicated that this is intended behavior. | |||||
| CVE-2025-48062 | 1 Discourse | 1 Discourse | 2025-09-26 | N/A | 7.1 HIGH |
| Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`. | |||||
| CVE-2024-56328 | 1 Discourse | 1 Discourse | 2025-09-26 | N/A | 6.5 MEDIUM |
| Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP, disable inline Oneboxes globally, or allow specific domains for Oneboxing. | |||||
| CVE-2025-22602 | 1 Discourse | 1 Discourse | 2025-09-26 | N/A | 6.5 MEDIUM |
| Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP. | |||||
| CVE-2025-8934 | 1 1000projects | 1 Sales Management System | 2025-09-25 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in 1000 Projects Sales Management System 1.0. Affected is an unknown function of the file /sales.php. The manipulation of the argument select2112 leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-8933 | 1 1000projects | 1 Sales Management System | 2025-09-25 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was identified in 1000 Projects Sales Management System 1.0. This issue affects some unknown processing of the file /superstore/admin/sales.php. The manipulation of the argument ssalescat leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-48954 | 1 Discourse | 1 Discourse | 2025-09-25 | N/A | 8.1 HIGH |
| Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled. | |||||
| CVE-2024-47772 | 1 Discourse | 1 Discourse | 2025-09-25 | N/A | 6.5 MEDIUM |
| Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure. | |||||
| CVE-2024-53266 | 1 Discourse | 1 Discourse | 2025-09-25 | N/A | 4.3 MEDIUM |
| Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled. | |||||
| CVE-2025-10794 | 1 Phpgurukul | 1 Car Rental Project | 2025-09-25 | 5.0 MEDIUM | 4.3 MEDIUM |
| A flaw has been found in PHPGurukul Car Rental Project 3.0. Affected by this issue is some unknown functionality of the file /carrental/search.php. Executing manipulation of the argument autofocus can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2024-7394 | 1 Concretecms | 1 Concrete Cms | 2025-09-25 | N/A | 4.8 MEDIUM |
| Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, m3dium for reporting. (CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC) | |||||
| CVE-2024-4350 | 1 Concretecms | 1 Concrete Cms | 2025-09-25 | N/A | 4.8 MEDIUM |
| Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks, m3dium for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC) | |||||
| CVE-2025-10827 | 1 Phpjabbers | 1 Restaurant Menu Maker | 2025-09-25 | 5.0 MEDIUM | 4.3 MEDIUM |
| A weakness has been identified in PHPJabbers Restaurant Menu Maker up to 1.1. Affected by this issue is some unknown functionality of the file /preview.php. This manipulation of the argument theme causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | |||||