Total
41605 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-65754 | 1 Algernon Project | 1 Algernon | 2025-12-30 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename. | |||||
| CVE-2024-24130 | 1 Mail2world | 1 Mail2world Webmail | 2025-12-30 | N/A | 6.1 MEDIUM |
| Mail2World v12 Business Control Center was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Usr parameter at resellercenter/login.asp. | |||||
| CVE-2023-40262 | 1 Unify | 1 Openscape Voice Trace Manager | 2025-12-30 | N/A | 6.1 MEDIUM |
| An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows unauthenticated Stored Cross-Site Scripting (XSS) in the administration component via Access Request. | |||||
| CVE-2025-14991 | 1 Campcodes | 1 Complete Online Beauty Parlor Management System | 2025-12-30 | 3.3 LOW | 2.4 LOW |
| A weakness has been identified in Campcodes Complete Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/bwdates-reports-details.php. Executing manipulation of the argument fromdate can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-14962 | 1 Carmelo | 1 Simple Stock System | 2025-12-30 | 5.0 MEDIUM | 4.3 MEDIUM |
| A flaw has been found in code-projects Simple Stock System 1.0. The impacted element is an unknown function of the file /market/chatuser.php. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. | |||||
| CVE-2025-63498 | 2 Alinto, Debian | 2 Sogo, Debian Linux | 2025-12-30 | N/A | 6.1 MEDIUM |
| alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. | |||||
| CVE-2024-1215 | 1 Remyandrade | 1 Crud Without Page Reload\/refresh | 2025-12-30 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file fetch_data.php. The manipulation of the argument username/city leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252782 is the identifier assigned to this vulnerability. | |||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | N/A | 9.6 CRITICAL |
| Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | |||||
| CVE-2025-25939 | 1 Reprisesoftware | 1 Reprise License Manager | 2025-12-30 | N/A | 6.1 MEDIUM |
| Reprise License Manager 14.2 is vulnerable to reflected cross-site scripting in /goform/activate_process via the akey parameter. | |||||
| CVE-2025-66021 | 1 Owasp | 1 Java Html Sanitizer | 2025-12-30 | N/A | 6.1 MEDIUM |
| OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available. | |||||
| CVE-2025-52552 | 1 Fastgpt | 1 Fastgpt | 2025-12-29 | N/A | 6.1 MEDIUM |
| FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12. | |||||
| CVE-2025-14499 | 2025-12-29 | N/A | 8.8 HIGH | ||
| IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a parameter passed to the gmaps webpage. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25441. | |||||
| CVE-2025-66444 | 2025-12-29 | N/A | 8.2 HIGH | ||
| Cross-site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00. | |||||
| CVE-2023-32120 | 2025-12-29 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS.This issue affects Hostel: from n/a through 1.1.5.1. | |||||
| CVE-2019-25234 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
| SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or injecting malicious scripts into various application parameters. | |||||
| CVE-2025-2154 | 2025-12-29 | N/A | 5.4 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Stored XSS.This issue affects Specto CM: before 17032025. | |||||
| CVE-2018-25131 | 2025-12-29 | N/A | 7.2 HIGH | ||
| Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user's browser session when viewed. | |||||
| CVE-2025-68917 | 2025-12-29 | N/A | 6.4 MEDIUM | ||
| ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer. | |||||
| CVE-2019-25233 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
| AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions. | |||||
| CVE-2019-25244 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
| Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvalidated GET parameters. | |||||