Total
41617 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11747 | 2025-12-19 | N/A | 6.4 MEDIUM | ||
| The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-14151 | 2025-12-19 | N/A | 6.1 MEDIUM | ||
| The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-14449 | 2025-12-19 | N/A | 6.4 MEDIUM | ||
| The BA Book Everything plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's babe-search-form shortcode in all versions up to, and including, 1.8.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-58285 | 1 Chyrp | 1 Chyrp | 2025-12-19 | N/A | 5.4 MEDIUM |
| Chyrp 2.5.2 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into post titles. Attackers can craft payloads in the title field that will execute when the post is viewed by other users, potentially stealing session cookies or performing client-side attacks. | |||||
| CVE-2021-42193 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | N/A | 6.1 MEDIUM |
| nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires. | |||||
| CVE-2025-41749 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 7.1 HIGH |
| An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | |||||
| CVE-2025-41747 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 7.1 HIGH |
| An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | |||||
| CVE-2025-41746 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 7.1 HIGH |
| An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | |||||
| CVE-2025-41748 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 7.1 HIGH |
| An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | |||||
| CVE-2025-41750 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 7.1 HIGH |
| An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | |||||
| CVE-2025-41751 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 7.1 HIGH |
| An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | |||||
| CVE-2025-41752 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 7.1 HIGH |
| An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | |||||
| CVE-2025-65589 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | N/A | 6.1 MEDIUM |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality. | |||||
| CVE-2025-65590 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | N/A | 5.4 MEDIUM |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area. | |||||
| CVE-2025-65591 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | N/A | 5.4 MEDIUM |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality. | |||||
| CVE-2025-65592 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | N/A | 6.1 MEDIUM |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages. | |||||
| CVE-2025-43740 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-19 | N/A | 5.4 MEDIUM |
| A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface. | |||||
| CVE-2025-43731 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-19 | N/A | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows an remote authenticated user to inject JavaScript in message board threads and categories. | |||||
| CVE-2025-41745 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 7.1 HIGH |
| An XSS vulnerability in pxc_portCntr2.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | |||||
| CVE-2025-67342 | 1 Ruoyi | 1 Ruoyi | 2025-12-19 | N/A | 4.6 MEDIUM |
| RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across all users, any user with menu modification permissions can impact all users by exploiting this stored XSS vulnerability. | |||||