Total
42026 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3578 | 1 Metagauss | 1 Profilegrid | 2025-04-30 | N/A | 6.1 MEDIUM |
| The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-3484 | 1 Wpb Show Core Project | 1 Wpb Show Core | 2025-04-30 | N/A | 6.1 MEDIUM |
| The WPB Show Core WordPress plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-38146 | 1 Silverstripe | 1 Framework | 2025-04-30 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3). | |||||
| CVE-2025-46237 | 1 Ylefebvre | 1 Link Library | 2025-04-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yannick Lefebvre Link Library allows Stored XSS. This issue affects Link Library: from n/a through 7.8. | |||||
| CVE-2025-30149 | 1 Open-emr | 1 Openemr | 2025-04-30 | N/A | 6.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. OpenEMR allows reflected cross-site scripting (XSS) in the AJAX Script interface\super\layout_listitems_ajax.php via the target parameter. This vulnerability is fixed in 7.0.3. | |||||
| CVE-2025-1524 | 1 Davidvongries | 1 Ultimate Dashboard | 2025-04-30 | N/A | 3.5 LOW |
| The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-1525 | 1 Davidvongries | 1 Ultimate Dashboard | 2025-04-30 | N/A | 3.5 LOW |
| The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-46238 | 1 Rolandbaer | 1 List Last Changes | 2025-04-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer List Last Changes allows Stored XSS. This issue affects List Last Changes: from n/a through 1.2.1. | |||||
| CVE-2025-46250 | 1 Vikasratudi | 1 Lifetime Free Drag \& Drop Contact Form Builder | 2025-04-30 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VForm allows Stored XSS. This issue affects VForm: from n/a through 3.1.14. | |||||
| CVE-2022-45380 | 1 Jenkins | 1 Junit | 2025-04-30 | N/A | 5.4 MEDIUM |
| Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-43694 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | N/A | 6.1 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | |||||
| CVE-2022-42954 | 1 Keyfactor | 1 Kefactor Ejbca | 2025-04-30 | N/A | 5.4 MEDIUM |
| Keyfactor EJBCA before 7.10.0 allows XSS. | |||||
| CVE-2022-42119 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-04-30 | N/A | 5.4 MEDIUM |
| Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8. | |||||
| CVE-2022-36432 | 1 Amasty | 1 Blog Pro | 2025-04-30 | N/A | 5.4 MEDIUM |
| The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response. | |||||
| CVE-2025-46253 | 1 Wpmet | 1 Gutenkit | 2025-04-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit allows Stored XSS. This issue affects GutenKit: from n/a through 2.2.2. | |||||
| CVE-2025-46254 | 1 Visualcomposer | 1 Visual Composer Website Builder | 2025-04-30 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder allows Stored XSS. This issue affects Visual Composer Website Builder: from n/a through 45.10.0. | |||||
| CVE-2022-45382 | 1 Jenkins | 1 Naginator | 2025-04-30 | N/A | 5.4 MEDIUM |
| Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names. | |||||
| CVE-2025-3457 | 1 Oceanwp | 1 Ocean Extra | 2025-04-30 | N/A | 6.4 MEDIUM |
| The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-3458 | 1 Oceanwp | 1 Ocean Extra | 2025-04-30 | N/A | 6.4 MEDIUM |
| The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerability. | |||||
| CVE-2025-25431 | 1 Trendnet | 2 Tew-929dru, Tew-929dru Firmware | 2025-04-30 | N/A | 4.8 MEDIUM |
| Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the The ssid key of wifi_data parameter on the /captive_portal.htm page. | |||||