Total
39744 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-40857 | 1 Apple | 7 Ipados, Iphone Os, Macos and 4 more | 2025-11-04 | 6.1 Medium |
| This issue was addressed through improved state management. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. Processing maliciously crafted web content may lead to universal cross site scripting. | ||||
| CVE-2024-40846 | 1 Apple | 1 Macos | 2025-11-04 | 7.8 High |
| The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted video file may lead to unexpected app termination. | ||||
| CVE-2024-40845 | 1 Apple | 1 Macos | 2025-11-04 | 5.5 Medium |
| The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted video file may lead to unexpected app termination. | ||||
| CVE-2024-33893 | 1 Hms-networks | 7 Ewon Cosy\+ 4g Apac, Ewon Cosy\+ 4g Eu, Ewon Cosy\+ 4g Jp and 4 more | 2025-11-04 | 6.1 Medium |
| Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to XSS when displaying the logs due to improper input sanitization. This is fixed in version 21.2s10 and 22.1s3. | ||||
| CVE-2024-31444 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-11-04 | 4.6 Medium |
| Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. | ||||
| CVE-2024-31443 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-11-04 | 5.7 Medium |
| Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. | ||||
| CVE-2024-25582 | 2025-11-04 | 5.4 Medium | ||
| Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known. | ||||
| CVE-2025-43338 | 1 Apple | 5 Ios, Ipados, Iphone Os and 2 more | 2025-11-04 | 7.1 High |
| An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.8.2, iOS 26 and iPadOS 26. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. | ||||
| CVE-2025-12369 | 2 Hupe13, Wordpress | 2 Extensions For Leaflet Map, Wordpress | 2025-11-04 | 6.4 Medium |
| The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `geojsonmarker` shortcode in all versions up to, and including, 4.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2018-6882 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-11-04 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment. | ||||
| CVE-2025-27915 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-11-04 | 5.4 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration. | ||||
| CVE-2025-60503 | 1 Ultimatefosters | 1 Ultimatepos | 2025-11-04 | 8.7 High |
| A cross-site scripting (XSS) vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log panel page in the 'reference No.' field. This flaw allows an authenticated attacker to execute arbitrary JavaScript in the context of an administrator's browser session, which could lead to session hijacking or other malicious actions. | ||||
| CVE-2025-11733 | 1 Wordpress | 1 Wordpress | 2025-11-04 | 7.2 High |
| The Footnotes Made Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 3.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-62618 | 1 Elog | 1 Elog | 2025-11-04 | 8 High |
| ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text. | ||||
| CVE-2025-10534 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-04 | 8.1 High |
| Spoofing issue in the Site Permissions component. This vulnerability affects Firefox < 143 and Thunderbird < 143. | ||||
| CVE-2025-60950 | 1 Aixblock | 1 Aixblock | 2025-11-04 | 6.1 Medium |
| An arbitrary file upload vulnerability in the Data Preparation function of AIxBlock commit f60975 allows attackers to execute arbitrary code via a crafted SVG file. | ||||
| CVE-2025-52180 | 1 Zucchetti | 1 Ad Hoc Infinity | 2025-11-04 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 4.2 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource endpoint. | ||||
| CVE-2025-64112 | 1 Statamic | 1 Cms | 2025-11-04 | 8 High |
| Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1. | ||||
| CVE-2025-36592 | 1 Dell | 1 Secure Connect Gateway Policy Manager | 2025-11-04 | 5.4 Medium |
| Dell Secure Connect Gateway (SCG) Policy Manager, version(s) 5.20. 5.22, 5.24, 5.26, 5.28, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Script injection. | ||||
| CVE-2025-56313 | 1 Jatos | 1 Jatos | 2025-11-04 | 6.1 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 (inclusive). This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an authenticated admin user accesses the study's URL, the malicious script gets interpreted and executes within their browser, which can lead to unauthorized actions, account compromise, and privilege escalation. | ||||