Total
39753 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-56519 | 1 Tcpdf Project | 1 Tcpdf | 2025-11-03 | 7.5 High |
| An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute. | ||||
| CVE-2024-47093 | 1 Nagvis | 1 Nagvis | 2025-11-03 | 8.8 High |
| Improper neutralization of input in Nagvis before version 1.9.42 which can lead to XSS | ||||
| CVE-2024-47090 | 1 Nagvis | 1 Nagvis | 2025-11-03 | 6.1 Medium |
| Improper neutralization of input in Nagvis before version 1.9.47 which can lead to XSS | ||||
| CVE-2024-45699 | 1 Zabbix | 1 Zabbix | 2025-11-03 | 5.4 Medium |
| The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser. | ||||
| CVE-2024-43799 | 2 Redhat, Send Project | 11 Discovery, Network Observ Optr, Openshift and 8 more | 2025-11-03 | 5 Medium |
| Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. | ||||
| CVE-2024-13722 | 2025-11-03 | 5.4 Medium | ||
| The "NagVis" component within Checkmk is vulnerable to reflected cross-site scripting. An attacker can craft a malicious link that will execute arbitrary JavaScript in the context of the browser once clicked. The attack can be performed on both authenticated and unauthenticated users. | ||||
| CVE-2023-25727 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-11-03 | 5.4 Medium |
| In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface. | ||||
| CVE-2022-24891 | 3 Netapp, Oracle, Owasp | 4 Active Iq Unified Manager, Oncommand Workflow Automation, Weblogic Server and 1 more | 2025-11-03 | 5.4 Medium |
| ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin. | ||||
| CVE-2025-41681 | 2025-11-03 | 4.8 Medium | ||
| A high privileged remote attacker can gain persistent XSS via POST requests due to improper neutralization of special elements used to create dynamic content. | ||||
| CVE-2025-32731 | 1 Meddream | 1 Pacs Premium | 2025-11-03 | 6.1 Medium |
| A reflected cross-site scripting (xss) vulnerability exists in the radiationDoseReport.php functionality of meddream MedDream PACS Premium 7.3.5.860. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | ||||
| CVE-2025-64094 | 1 Dnnsoftware | 2 Dnn Platform, Dotnetnuke | 2025-11-03 | 6.4 Medium |
| DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1. | ||||
| CVE-2025-46827 | 1 Graylog | 1 Graylog | 2025-11-03 | 8 High |
| Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc). Versions 6.0.14, 6.1.10, and 6.2.0 fix the issue. No known workarounds are available, as long as the relatively rare prerequisites are met. | ||||
| CVE-2023-46287 | 1 Nagvis | 1 Nagvis | 2025-11-03 | 6.1 Medium |
| XSS exists in NagVis before 1.9.38 via the select function in share/server/core/functions/html.php. | ||||
| CVE-2025-7746 | 1 Schneider-electric | 1 Altivar | 2025-11-03 | N/A |
| CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause an unvalidated data injected by a malicious user potentially leading to modify or read data in a victim’s browser. | ||||
| CVE-2025-54571 | 1 Owasp | 1 Modsecurity | 2025-11-03 | 6.1 Medium |
| ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12. | ||||
| CVE-2022-39333 | 1 Nextcloud | 1 Desktop | 2025-11-03 | 4.6 Medium |
| Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. | ||||
| CVE-2022-39332 | 1 Nextcloud | 1 Desktop | 2025-11-03 | 4.6 Medium |
| Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. | ||||
| CVE-2022-39331 | 1 Nextcloud | 1 Desktop | 2025-11-03 | 4.6 Medium |
| Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. | ||||
| CVE-2014-5408 | 1 Nordex | 1 Nordex Control 2 Scada | 2025-11-03 | N/A |
| Cross-site scripting (XSS) vulnerability in the login script in the Wind Farm Portal on Nordex Control 2 (NC2) SCADA devices 15 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter. | ||||
| CVE-2025-36138 | 1 Ibm | 2 Qradar Security Information And Event Manager, Qradar Suite | 2025-11-03 | 6.4 Medium |
| IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||