Total
41604 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-15437 | 2026-01-02 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 6.1.26 and 6.3 is able to mitigate this issue. The patch is named 264ac5b2be5b3c673ebd8cb862e673f5d300d9a7. The affected component should be upgraded. | |||||
| CVE-2025-68461 | 1 Roundcube | 1 Webmail | 2026-01-02 | N/A | 7.2 HIGH |
| Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | |||||
| CVE-2025-67787 | 1 Drivelock | 1 Drivelock | 2026-01-02 | N/A | 9.6 CRITICAL |
| An issue was discovered in 25.1.2 before 25.1.5. A Cross Site Scripting (XSS) issue in DriveLock Operations Center allows for session takeover over a network. | |||||
| CVE-2025-15374 | 1 Eyoucms | 1 Eyoucms | 2026-01-02 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8". | |||||
| CVE-2019-17667 | 1 Comtech | 2 H8 Heights Remote Gateway, H8 Heights Remote Gateway Firmware | 2026-01-02 | 3.5 LOW | 5.4 MEDIUM |
| Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field. | |||||
| CVE-2025-51962 | 1 Microstudio | 1 Microstudio | 2026-01-02 | N/A | 6.1 MEDIUM |
| A HTML Injection vulnerability in the comment section of the project page in MicroStudio 24.01.29 allows remote attackers to inject arbitrary web script or HTML via the text parameter of add_project_comment function. | |||||
| CVE-2025-68927 | 1 Libredesk | 1 Libredesk | 2026-01-02 | N/A | 6.1 MEDIUM |
| Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta. | |||||
| CVE-2024-25814 | 1 Airc | 1 Mynet | 2026-01-02 | N/A | 6.1 MEDIUM |
| MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the msg parameter. | |||||
| CVE-2024-25812 | 1 Airc | 1 Mynet | 2026-01-02 | N/A | 6.1 MEDIUM |
| MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the src parameter. | |||||
| CVE-2023-36337 | 1 Inventory Management System Project | 1 Inventory Management System | 2026-01-02 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the component /index.php/cuzh4 of PHP Inventory Management System 1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2025-68946 | 1 Gitea | 1 Gitea | 2025-12-31 | N/A | 5.4 MEDIUM |
| In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. | |||||
| CVE-2021-47733 | 1 Cmsimple | 1 Cmsimple | 2025-12-31 | N/A | 6.1 MEDIUM |
| CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like ')-alert(1)// and execute arbitrary JavaScript when victims interact with delete buttons. | |||||
| CVE-2021-47737 | 1 Cszcms | 1 Csz Cms | 2025-12-31 | N/A | 5.4 MEDIUM |
| CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks. | |||||
| CVE-2025-67349 | 1 Fluentcms | 1 Fluentcms | 2025-12-31 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inject arbitrary script tags. | |||||
| CVE-2025-61914 | 1 N8n | 1 N8n | 2025-12-31 | N/A | 7.3 HIGH |
| n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the “Respond to Webhook” node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts. | |||||
| CVE-2025-15355 | 2025-12-31 | N/A | 6.1 MEDIUM | ||
| ISOinsight developed by NetVision Information has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | |||||
| CVE-2025-55063 | 2025-12-31 | N/A | 4.8 MEDIUM | ||
| CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | |||||
| CVE-2025-55064 | 2025-12-31 | N/A | 4.8 MEDIUM | ||
| CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | |||||
| CVE-2025-55062 | 2025-12-31 | N/A | 4.8 MEDIUM | ||
| CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | |||||
| CVE-2025-15249 | 2025-12-31 | 4.0 MEDIUM | 3.5 LOW | ||
| A weakness has been identified in zhujunliang3 work_platform up to 6bc5a50bb527ce27f7906d11ea6ec139beb79c31. This vulnerability affects unknown code of the component Content Handler. Executing manipulation can lead to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | |||||