Total
41620 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34257 | 1 Advantech | 1 Wise-deviceon Server | 2025-12-17 | N/A | 5.4 MEDIUM |
| Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/defined endpoint. When an authenticated user creates a task, the defined_name value is stored and later rendered in the Overview page without HTML sanitization. An attacker can inject malicious script into defined_name, which is then executed in the browser context of users who view the affected task, potentially enabling session compromise and unauthorized actions as the victim. | |||||
| CVE-2025-66563 | 1 Monkeytype | 1 Monkeytype | 2025-12-17 | N/A | 6.1 MEDIUM |
| Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags). | |||||
| CVE-2025-66843 | 1 Getgrav | 1 Grav | 2025-12-17 | N/A | 5.4 MEDIUM |
| grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page. | |||||
| CVE-2023-53891 | 1 Blackcat-cms | 1 Blackcat Cms | 2025-12-17 | N/A | 5.4 MEDIUM |
| Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised page. | |||||
| CVE-2025-65231 | 1 Barix | 2 Instreamer, Instreamer Firmware | 2025-12-17 | N/A | 6.1 MEDIUM |
| Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page. | |||||
| CVE-2025-65230 | 1 Barix | 2 Instreamer, Instreamer Firmware | 2025-12-17 | N/A | 5.4 MEDIUM |
| Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input. | |||||
| CVE-2024-47610 | 1 Inventree Project | 1 Inventree | 2025-12-17 | N/A | 7.3 HIGH |
| InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addressed as follows: 1. HTML sanitization has been enabled in the front-end markdown rendering library - `easymde`. 2. Stored markdown is also validated on the backend, to ensure that malicious markdown is not stored in the database. These changes are available in release versions 0.16.5 and later. All users are advised to upgrade. There are no workarounds, an update is required to get the new validation functions. | |||||
| CVE-2025-67734 | 1 Frappe | 1 Learning | 2025-12-16 | N/A | 5.4 MEDIUM |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0. | |||||
| CVE-2019-11193 | 1 Directadmin | 1 Directadmin | 2025-12-16 | 6.8 MEDIUM | 6.1 MEDIUM |
| The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel. | |||||
| CVE-2007-1926 | 1 Directadmin | 1 Directadmin | 2025-12-16 | 6.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in JBMC Software DirectAdmin before 1.293 does not properly display log files, which allows remote authenticated users to inject arbitrary web script or HTML via (1) http or (2) ftp requests logged in /var/log/directadmin/security.log; (3) allows context-dependent attackers to inject arbitrary web script or HTML into /var/log/messages via a PHP script that invokes /usr/bin/logger; (4) allows local users to inject arbitrary web script or HTML into /var/log/messages by invoking /usr/bin/logger at the command line; and allows remote attackers to inject arbitrary web script or HTML via remote requests logged in the (5) /var/log/exim/rejectlog, (6) /var/log/exim/mainlog, (7) /var/log/proftpd/auth.log, (8) /var/log/httpd/error_log, (9) /var/log/httpd/access_log, (10) /var/log/directadmin/error.log, and (11) /var/log/directadmin/security.log files. | |||||
| CVE-2009-2216 | 1 Directadmin | 1 Directadmin | 2025-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in CMD_REDIRECT in DirectAdmin 1.33.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the URI in a view=advanced request. | |||||
| CVE-2007-1508 | 1 Directadmin | 1 Directadmin | 2025-12-16 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAdmin allows remote attackers to inject arbitrary web script or HTML via the RESULT parameter, a different vector than CVE-2006-5983. | |||||
| CVE-2006-5983 | 1 Directadmin | 1 Directadmin | 2025-12-16 | 6.0 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in JBMC Software DirectAdmin 1.28.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user parameter to (a) CMD_SHOW_RESELLER or (b) CMD_SHOW_USER in the Admin level; the (2) TYPE parameter to (c) CMD_TICKET_CREATE or (d) CMD_TICKET, the (3) user parameter to (e) CMD_EMAIL_FORWARDER_MODIFY, (f) CMD_EMAIL_VACATION_MODIFY, or (g) CMD_FTP_SHOW, and the (4) name parameter to (h) CMD_EMAIL_LIST in the User level; or the (5) user parameter to (i) CMD_SHOW_USER in the Reseller level. | |||||
| CVE-2025-14662 | 1 Fabian | 1 Student File Management System | 2025-12-16 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php of the component Update User Page. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. | |||||
| CVE-2025-65572 | 1 Allskyteam | 1 Allsky | 2025-12-16 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in status_messages.php will print out the error messages and execute the script injected by the attacker. | |||||
| CVE-2025-65300 | 1 Coohom | 1 Coohom | 2025-12-16 | N/A | 5.4 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) in the Account Settings module, where unsanitized user input in Address fields (City, State, Country/Region) is rendered back to the page. Attackers can inject arbitrary JavaScript code, which executes when the affected profile page is viewed. This can lead to session hijacking, cookie theft, or arbitrary script execution in the victim's browser. | |||||
| CVE-2022-26644 | 1 Oretnom23 | 1 Banking System | 2025-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Online Banking System Protect v1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via parameters on user profile, system_info and accounts management. | |||||
| CVE-2025-36746 | 1 Solaredge | 1 Solaredge Monitoring Platform | 2025-12-16 | N/A | 5.4 MEDIUM |
| SolarEdge monitoring platform contains a Cross‑Site Scripting (XSS) flaw that allows an authenticated user to inject payloads into report names, which may execute in a victim’s browser during a deletion attempt. | |||||
| CVE-2022-36547 | 1 Hashenudara | 1 Edoc-doctor-appointment-system | 2025-12-16 | N/A | 6.1 MEDIUM |
| Edoc-doctor-appointment-system v1.0.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability at /patient/index.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search field. | |||||
| CVE-2025-2536 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-16 | N/A | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module's layout-taglib/__liferay__/index.js allows remote attackers to inject arbitrary web script or HTML via toastData parameter | |||||