Total
41604 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-65233 | 1 Slims Project | 1 Slims | 2026-01-05 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | |||||
| CVE-2021-47738 | 1 Cszcms | 1 Csz Cms | 2026-01-05 | N/A | 5.4 MEDIUM |
| CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an admin views the message in the backend dashboard. | |||||
| CVE-2021-47732 | 1 Cmsimple | 1 Cmsimple | 2026-01-05 | N/A | 6.1 MEDIUM |
| CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection. | |||||
| CVE-2024-6797 | 1 Dyadyalesha | 1 Dl Robots.txt | 2026-01-02 | N/A | 4.8 MEDIUM |
| The DL Robots.txt WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-13058 | 1 Extplorer | 1 Extplorer | 2026-01-02 | 4.0 MEDIUM | 3.5 LOW |
| A security flaw has been discovered in soerennb eXtplorer up to 2.1.15. The affected element is an unknown function of the component Filename Handler. The manipulation results in cross site scripting. The attack may be launched remotely. The patch is identified as 002def70b985f7012586df2c44368845bf405ab3. Applying a patch is advised to resolve this issue. | |||||
| CVE-2025-65237 | 1 Opencode | 1 Ussd Gateway | 2026-01-02 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload. | |||||
| CVE-2025-35034 | 1 Mieweb | 1 Enterprise Health | 2026-01-02 | N/A | 4.3 MEDIUM |
| Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the 'portlet_user_id' URL parameter. A remote, unauthenticated attacker can craft a URL that can execute arbitrary JavaScript in the victim's browser. This issue is fixed as of 2025-03-14. | |||||
| CVE-2025-68935 | 1 Onlyoffice | 1 Document Server | 2026-01-02 | N/A | 6.4 MEDIUM |
| ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. | |||||
| CVE-2025-68936 | 1 Onlyoffice | 1 Document Server | 2026-01-02 | N/A | 6.4 MEDIUM |
| ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. | |||||
| CVE-2025-68942 | 1 Gitea | 1 Gitea | 2026-01-02 | N/A | 5.4 MEDIUM |
| Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. | |||||
| CVE-2025-66580 | 1 Openagentplatform | 1 Dive | 2026-01-02 | N/A | 9.6 CRITICAL |
| Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue. | |||||
| CVE-2025-67634 | 1 Cisa | 1 Software Acquisition Guide | 2026-01-02 | N/A | 4.4 MEDIUM |
| The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next'). | |||||
| CVE-2025-68614 | 1 Librenms | 1 Librenms | 2026-01-02 | N/A | 4.3 MEDIUM |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. This issue has been patched in version 25.12.0. | |||||
| CVE-2025-68915 | 1 Riello-ups | 1 Netman 208 | 2026-01-02 | N/A | 5.5 MEDIUM |
| Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner. | |||||
| CVE-2025-67289 | 1 Frappe | 2 Erpnext, Frappe | 2026-01-02 | N/A | 9.6 CRITICAL |
| An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file. | |||||
| CVE-2025-67290 | 1 Dotnetfoundation | 1 Piranha Cms | 2026-01-02 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field. | |||||
| CVE-2025-67291 | 1 Dotnetfoundation | 1 Piranha Cms | 2026-01-02 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field. | |||||
| CVE-2025-67443 | 1 Schlix | 1 Cms | 2026-01-02 | N/A | 6.1 MEDIUM |
| Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel. | |||||
| CVE-2025-68115 | 1 Parseplatform | 1 Parse-server | 2026-01-02 | N/A | 6.1 MEDIUM |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available. | |||||
| CVE-2025-68116 | 1 Filerise | 1 Filerise | 2026-01-02 | N/A | 8.9 HIGH |
| FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue. | |||||