Total
41606 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-50684 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 6.1 MEDIUM |
| An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via unencoded form fields. Unencoded form values could enable HTML content execution in recipient email clients, potentially compromising email security. | |||||
| CVE-2022-50683 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form redirect URL configuration. This allows malicious scripts to execute in users' browsers through unvalidated form configuration settings. | |||||
| CVE-2022-50681 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input fields in the Rich text editor component. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers. | |||||
| CVE-2022-50680 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability in Kentico Xperience allows administration users to inject malicious scripts via email marketing templates. Attackers can exploit this vulnerability to execute malicious scripts that could compromise user browsers and steal sensitive information. | |||||
| CVE-2020-36891 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute in users' browsers. | |||||
| CVE-2020-36889 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via error messages containing specially crafted object names. This allows malicious scripts to execute in users' browsers when administrators view error messages in the administration interface. | |||||
| CVE-2023-53887 | 1 Zomp | 1 Zomplog | 2025-12-24 | N/A | 5.4 MEDIUM |
| Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser. | |||||
| CVE-2023-53903 | 1 Websitebaker | 1 Websitebaker | 2025-12-24 | N/A | 5.4 MEDIUM |
| WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks. | |||||
| CVE-2023-53939 | 1 Tinywebgallery | 1 Tinywebgallery | 2025-12-24 | N/A | 5.4 MEDIUM |
| TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages. | |||||
| CVE-2022-40011 | 1 Typora | 1 Typora | 2025-12-24 | N/A | 6.1 MEDIUM |
| Typora through 1.3.8 allows XSS if a document containing an SVG element with an attacker-controlled onload attribute is exported and then used at a victim's origin. | |||||
| CVE-2025-14701 | 1 Craftycontrol | 1 Crafty Controller | 2025-12-23 | N/A | 7.1 HIGH |
| An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification. | |||||
| CVE-2025-12716 | 1 Gitlab | 1 Gitlab | 2025-12-23 | N/A | 8.7 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content. | |||||
| CVE-2025-12029 | 1 Gitlab | 1 Gitlab | 2025-12-23 | N/A | 8.0 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI." | |||||
| CVE-2025-52842 | 3 Apple, Laundry Project, Linux | 3 Macos, Laundry, Linux Kernel | 2025-12-23 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Laundry on Linux, MacOS allows Account Takeover. This issue affects Laundry: 2.3.0. | |||||
| CVE-2024-5125 | 1 Lollms | 1 Lollms-webui | 2025-12-23 | N/A | 7.3 HIGH |
| parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect users to malicious websites, thereby exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module. | |||||
| CVE-2024-21496 | 1 Authcrunch | 1 Caddy-security | 2025-12-23 | N/A | 6.1 MEDIUM |
| All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting (XSS) via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS (e.g., [&], [<], [>], ["], [']), it does not account for the attack based on the JavaScript URL scheme (e.g., javascript:alert(document.domain)// payload). Exploiting this vulnerability may not be trivial, but it could lead to the execution of malicious scripts in the context of the target user’s browser, compromising user sessions. | |||||
| CVE-2024-12641 | 1 Cht | 1 Tenderdoctransfer | 2025-12-23 | N/A | 9.6 CRITICAL |
| TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands. | |||||
| CVE-2025-68387 | 1 Elastic | 1 Kibana | 2025-12-23 | N/A | 6.1 MEDIUM |
| Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator. | |||||
| CVE-2025-68385 | 1 Elastic | 1 Kibana | 2025-12-23 | N/A | 7.2 HIGH |
| Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation. | |||||
| CVE-2019-25216 | 1 Starfish | 1 Rich Review | 2025-12-23 | N/A | 7.2 HIGH |
| The Rich Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the POST body 'update' parameter in versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||