Total
41693 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34157 | 1 Coollabs | 1 Coolify | 2025-09-19 | N/A | 9.0 CRITICAL |
| Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers. | |||||
| CVE-2025-10711 | 2025-09-19 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This vulnerability affects unknown code of the file /index.php/sysmanage/Login. Such manipulation of the argument Name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8664 | 2025-09-19 | N/A | 6.3 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities E-Municipality Management allows Cross-Site Scripting (XSS).This issue affects StarCities E-Municipality Management: before 20250825. | |||||
| CVE-2025-9969 | 2025-09-19 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Vizly Web Design Real Estate Packages allows Content Spoofing, CAPEC - 593 - Session Hijacking, CAPEC - 591 - Reflected XSS.This issue affects Real Estate Packages: before 5.1. | |||||
| CVE-2025-10710 | 2025-09-19 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A flaw has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This affects an unknown part of the file /index.php. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10146 | 2025-09-19 | N/A | 6.1 MEDIUM | ||
| The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-43861 | 1 Miraheze | 1 Managewiki | 2025-09-19 | N/A | 4.4 MEDIUM |
| ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc. | |||||
| CVE-2019-25225 | 1 Apostrophecms | 1 Sanitize-html | 2025-09-19 | N/A | 6.1 MEDIUM |
| `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code. | |||||
| CVE-2014-125128 | 1 Apostrophecms | 1 Sanitize-html | 2025-09-19 | N/A | 6.1 MEDIUM |
| 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings. | |||||
| CVE-2024-25175 | 1 Kickdler | 1 Kickdler | 2025-09-19 | N/A | 6.1 MEDIUM |
| An issue in Kickdler before v1.107.0 allows attackers to provide an XSS payload via a HTTP response splitting attack. | |||||
| CVE-2024-4216 | 2 Fedoraproject, Pgadmin | 2 Fedora, Pgadmin 4 | 2025-09-19 | N/A | 7.4 HIGH |
| pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end. | |||||
| CVE-2025-9851 | 2025-09-19 | N/A | 6.4 MEDIUM | ||
| The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-2404 | 2025-09-19 | N/A | 4.3 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ubit Information Technologies STOYS allows Cross-Site Scripting (XSS).This issue affects STOYS: from 2 before 20250916. | |||||
| CVE-2025-52074 | 1 Phpgurukul | 1 Online Shopping Portal | 2025-09-18 | N/A | 6.1 MEDIUM |
| PHPGURUKUL Online Shopping Portal 2.1 is vulnerable to Cross Site Scripting (XSS) due to lack of input sanitization in the quantity parameter when adding a product to the cart. | |||||
| CVE-2025-44593 | 1 Halo | 1 Halo | 2025-09-18 | N/A | 6.1 MEDIUM |
| Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13 | |||||
| CVE-2025-44595 | 1 Halo | 1 Halo | 2025-09-18 | N/A | 6.1 MEDIUM |
| Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}. | |||||
| CVE-2025-58768 | 1 Thinkinai | 1 Deepchat | 2025-09-18 | N/A | 9.6 CRITICAL |
| DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix. | |||||
| CVE-2025-10590 | 1 Portabilis | 1 I-educar | 2025-09-18 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security flaw has been discovered in Portabilis i-Educar up to 2.10. The impacted element is an unknown function of the file /intranet/educar_usuario_det.php. The manipulation of the argument ref_pessoa results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-10591 | 1 Portabilis | 1 I-educar | 2025-09-18 | 4.0 MEDIUM | 3.5 LOW |
| A weakness has been identified in Portabilis i-Educar up to 2.10. This affects an unknown function of the file /intranet/educar_funcao_cad.php of the component Editar Função Page. This manipulation of the argument abreviatura/tipoacao causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-10605 | 1 Portabilis | 1 I-educar | 2025-09-18 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security flaw has been discovered in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /agenda_preferencias.php. The manipulation of the argument tipoacao results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | |||||