Total
39743 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64176 | 1 Thinkdashboard Project | 1 Thinkdashboard | 2025-11-07 | 5.3 Medium |
| ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip file to bypass the client-side file-type verification. This could lead to stored XSS, or be used for other nefarious purposes such as malware distribution. This issue is fixed in version 0.6.8. | ||||
| CVE-2025-12486 | 1 Heimdalldata | 1 Database Proxy | 2025-11-07 | N/A |
| Heimdall Data Database Proxy Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Heimdall Data Database Proxy. Minimal user interaction is required to exploit this vulnerability. The specific flaw exists within the handling of the database event logs. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to interact with the application in the context of the target user. Was ZDI-CAN-24755. | ||||
| CVE-2025-10955 | 1 Netcad | 1 Netigma | 2025-11-07 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad Software Inc. Netigma allows XSS Through HTTP Query Strings.This issue affects Netigma: from 6.3.5 before 6.3.5 V8. | ||||
| CVE-2025-26662 | 2025-11-07 | 4.4 Medium | ||
| The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. When a targeted victim, who is already logged in, clicks on the compromised link, the injected script gets executed within the scope of victim�s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted. | ||||
| CVE-2024-12020 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 6.1 Medium |
| There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability. Stealing the session cookie is not possible due to cookie security flags, however the XSS may be used to induce a victim to perform on-site requests without their knowledge. This vulnerability only affects LogicalDOC Enterprise. | ||||
| CVE-2025-62800 | 2 Fastmcp, Jlowin | 2 Fastmcp, Fastmcp | 2025-11-07 | 6.1 Medium |
| FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0. | ||||
| CVE-2025-5347 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-07 | 6.3 Medium |
| Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module. | ||||
| CVE-2025-5343 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-07 | 6.3 Medium |
| Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option. | ||||
| CVE-2024-29034 | 1 Carrierwave Project | 1 Carrierwave | 2025-11-07 | 6.8 Medium |
| CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. Upgrade to 3.0.7 or 2.2.6. | ||||
| CVE-2025-12546 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 3.5 Low |
| A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11946 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 3.5 Low |
| A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-26258 | 2 Remyandrade, Sourcecodester | 2 Employee Management System, Employee Management System | 2025-11-06 | 6.1 Medium |
| Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.' | ||||
| CVE-2025-62051 | 1 Wordpress | 1 Wordpress | 2025-11-06 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AndonDesign UDesign Core u-design-core.This issue affects UDesign Core: from n/a through <= 4.14.1. | ||||
| CVE-2023-52292 | 1 Ibm | 1 Sterling File Gateway | 2025-11-06 | 6.4 Medium |
| IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2024-11831 | 1 Redhat | 34 Acm, Advanced Cluster Security, Ansible Automation Platform and 31 more | 2025-11-06 | 5.4 Medium |
| A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. | ||||
| CVE-2025-62041 | 3 Codexthemes, Elementor, Wordpress | 3 Thegem, Elementor, Wordpress | 2025-11-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor) thegem-elementor.This issue affects TheGem (Elementor): from n/a through <= 5.10.5.1. | ||||
| CVE-2025-10280 | 1 Sailpoint | 1 Identityiq | 2025-11-06 | 7.1 High |
| IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS). | ||||
| CVE-2025-62040 | 2 Wordpress, Yop-poll | 3 Wordpress, Yop-poll, Yop Poll | 2025-11-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YOP YOP Poll yop-poll.This issue affects YOP Poll: from n/a through <= 6.5.37. | ||||
| CVE-2025-64198 | 2 Appscreo, Wordpress | 2 Easy Social Share Buttons, Wordpress | 2025-11-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through < 10.7.1. | ||||
| CVE-2025-64196 | 2 Pluggabl, Wordpress | 2 Booster For Woocommerce, Wordpress | 2025-11-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Reflected XSS.This issue affects Booster for WooCommerce: from n/a through <= 7.2.5. | ||||