Total
40736 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68942 | 1 Gitea | 1 Gitea | 2025-12-26 | 5.4 Medium |
| Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. | ||||
| CVE-2025-68946 | 1 Gitea | 1 Gitea | 2025-12-26 | 5.4 Medium |
| In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. | ||||
| CVE-2025-67349 | 2025-12-26 | 6.1 Medium | ||
| A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inject arbitrary script tags. | ||||
| CVE-2025-2405 | 2025-12-26 | 7.6 High | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Titarus allows Cross-Site Scripting (XSS).This issue affects Titarus: before 2.144.4. | ||||
| CVE-2025-15093 | 2025-12-26 | 4.3 Medium | ||
| A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing manipulation of the argument redirectUrl results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2406 | 2025-12-26 | 7.6 High | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi allows Cross-Site Scripting (XSS).This issue affects Trizbi: before 2.144.4. | ||||
| CVE-2025-2307 | 2025-12-26 | 7.6 High | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Aidango allows Cross-Site Scripting (XSS).This issue affects Aidango: before 2.144.4. | ||||
| CVE-2025-68935 | 1 Onlyoffice | 1 Document Server | 2025-12-26 | 6.4 Medium |
| ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. | ||||
| CVE-2025-68936 | 1 Onlyoffice | 1 Document Server | 2025-12-26 | 6.4 Medium |
| ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. | ||||
| CVE-2021-47733 | 1 Cmsimple | 1 Cmsimple | 2025-12-26 | 6.1 Medium |
| CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like ')-alert(1)// and execute arbitrary JavaScript when victims interact with delete buttons. | ||||
| CVE-2021-47716 | 1 Orangescrum | 1 Orangescrum | 2025-12-26 | 5.4 Medium |
| Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints. | ||||
| CVE-2024-40317 | 2025-12-24 | 6.1 Medium | ||
| A reflected cross-site scripting (XSS) vulnerability in MyNET up to v26.08 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter HTTP. | ||||
| CVE-2025-68917 | 1 Onlyoffice | 1 Document Server | 2025-12-24 | 6.4 Medium |
| ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer. | ||||
| CVE-2019-25244 | 2025-12-24 | 5.3 Medium | ||
| Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvalidated GET parameters. | ||||
| CVE-2019-25234 | 2025-12-24 | 5.3 Medium | ||
| SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or injecting malicious scripts into various application parameters. | ||||
| CVE-2019-25233 | 2025-12-24 | 5.3 Medium | ||
| AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions. | ||||
| CVE-2018-25131 | 2025-12-24 | 7.2 High | ||
| Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user's browser session when viewed. | ||||
| CVE-2025-68915 | 2025-12-24 | 5.5 Medium | ||
| Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner. | ||||
| CVE-2025-68605 | 2025-12-24 | 5.4 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.18. | ||||
| CVE-2025-68599 | 2025-12-24 | 5.4 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Embeds For YouTube Plugin Support YouTube Embed youtube-embed allows Stored XSS.This issue affects YouTube Embed: from n/a through <= 5.4. | ||||